Oracle releases 51 patches, unveils new vulnerability rating system

Share this article:

Oracle on Tuesday delivered 51 fixes in a quarterly patch distribution that included an updated scoring system for organizations to measure the risk and impact of vulnerabilities.

Twenty-seven patches correct vulnerabilities in the widely deployed Oracle Database Server, five of which are remotely exploitable.

The most severe bug contains a Common Vulnerability Scoring System (CVSS) version 2 rating of 6.5 out of 10.

CVSS version 2 was improved to make the scores more accurate, Eric Maurice, manager of security in Oracle's global technology business unit, said on the company's Global Product Security Blog.

"[It] is designed to address the criticism that CVSS scores tended to be clustered around few score values," Maurice wrote. "A number of new distinctions are introduced that result in further spreading the typical range of the CVSS 'base score' and making the standard more representative of real-world vulnerabilities."

That includes expanding the distinction of  "access vectors" to better explain what access rights an attacker requires to exploit a vulnerability.

But Amachai Shulman, CTO of database security firm Imperva, told SCMagazineUS.com that the updated system fails to paint an accurate picture. He said some of the database server bugs that were patched are more severe than the scores might indicate.

"A lot of the vulnerabilities in this release are vulnerabilities that do not require any special privileges," he said. "As long as you can connect to the database server, you can exploit those vulnerabilities."

The update also offered 11 fixes for the Application Server, eight for the E-Business Suite, three for PeopleSoft Enterprise and two for Enterprise Manager.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Millenials improve security habits, more interested in cyber careers, still need guidance

Millenials improve security habits, more interested in cyber ...

Raytheon's second annual survey on the online and security behavior of Millennials shows improvement but still a long way to go.

Pakistani man indicted over spyware app creation

Hammad Akbar created StealthGenie, which allowed the purchaser to secretly monitor a cell phone's communications.

FDA finalizes guidelines on medical device, patient data security

The recommendations are aimed at providing better protecting patient health and data, as well as hoping device manufacturers take into account cybersecurity risks in the early stages of development.