On Tuesday, as part of its quarterly release cycle, Oracle released 66 security patches to fix 43 Oracle security vulnerabilities and 23 for Sun software. Many of the patches were for threats ranked at the highest risk level under the Common Vulnerability Scoring System (CVSS) version 2.0.
CPUJan2011 provides fixes across a wide range of products, including six for Oracle’s database and 16 patches amend middleware products in the Oracle line. Other fixes patch Oracle’s Enterprise Manager, PeopleSoft, JD Edwards, Glassfish and OpenOffice.
In its advisory, the company strongly recommended that customers applyCPU fixes as soon as possible. “Until you apply the CPU fixes, it may bepossible to reduce the risk of successful attack by blocking networkprotocols required by an attack,” it stated.
While many experts are commenting that this quarterly release was on the low side, some point to the fact that over the past two years, Redwood Shores, Calif.-based Oracle has acquired so many companies (14), including Virtual Iron, Passlogix and Sun Microsystems, that a quarterly release is insufficient.
“Oracle patching needs fixing,” said Amichai Shulman, CTO of Imperva, on the company’s blog. “The quarterly patch cycle has seen a slowdown in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year. I can’t believe there is only one database fix quarter-to-quarter when there must be dozens or even hundreds of vulnerabilities.”
Formerly, when Oracle had far fewer products, the company would patch 100 database vulnerabilities at a time, he added. “One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products.”
Additionally troubling, Shulman wrote, that “Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening.”
Oracle did not issue a response to Shulman’s post. However, on The Oracle Global Product Security Blog, along with descriptions of the updates, is an announcement of “an enhancement to the Critical Patch Update documentation.” Oracle claims it will now publish a plain English version of the risk matrices intended for the less technically proficient.
Further, Oracle recently published a technical white paper, “Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture,” [PDF download] to assist IT administrators.
Oracle is scheduled to release patches for Java SE and Java for Business next month.