issued its latest batch of security patches affecting its software products Wednesday.
The critical patch update addresses 89 vulnerabilities in the Oracle line, including Oracle Database Server 10g, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite & Applications to J.D. Edwards EnterpriseOne.
Today’s releases nearly double the number of fixes provided in Oracle’s last patch go around.
Some of the patches are not security-related, the company’s patch advisory stated, but need patching because of interdependencies between the security bugs and software components.
Security experts at the Computer Emergency Response Team Coordination Center (CERT/CC) recommend security administrators assess the patches before applying them. Oracle officials state the patch is not needed for client-only installations.
“The impact of these vulnerabilities varies depending on the product, component, and configuration of the system,” a CERT/CC report on the patches stated.
“Potential consequences include remote execution of arbitrary code or commands, information disclosure, and denial of service. An attacker who compromises an Oracle database may be able to gain access to sensitive information.”
What security vulnerabilities the Oracle patch fixes is largely unknown. As a matter of policy, Oracle doesn’t provide specifics on the security bugs, providing only the software component affected, the severity of the risk and the versions affected by the vulnerability. In some cases, Oracle recommends workarounds to patching the system.
Details of Oracle vulnerabilities are usually published by security firms tracking software products.
In July, a German research firm reported Oracle users may be at risk from a half dozen vulnerabilities in Oracle products, even if they applied the latest patch.
Oracle provides software patches on a quarterly basis, a schedule that’s shifted much over the past year.
In August 2004, the company moved from providing security patches on a yearly or quarterly basis to a monthly one in order to provide more a timely response to vulnerabilities.
The company soon experienced delays in getting the patches out on that schedule, prompting it to reverse its policy and go to a quarterly patch schedule.