Patch/Configuration Management, Vulnerability Management

Oracle patch cycle includes first 11g database fix

Oracle today delivered 26 security fixes spanning the company's entire product family, including the first for its new 11g database, as part of its latest quarterly Critical Patch Update (CPU).

Ted Julian, vice president of strategy and marketing for Application Security Inc., a database-monitoring and control vendor, told today that the severity levels of vulnerabilities identified in the 11g database, the latest version of Oracle's database that runs on Linux, were relatively low.

None of these vulnerabilities in the 11g can be leveraged remotely, he added. 

“Eight vulnerabilities within the core database is historically low, and the severity level is fairly low, as well, ranging from zero to 6.5 [out of 10 on the Common Vulnerability Scoring System]," Julian said. "One of the main vectors we look at is whether a vulnerability can be leveraged remotely or requires some authentication to be effective, and in this case, none of the eight is remotely vulnerable."

As the company had revealed in its pre-release announcement, the most serious security issue impacted the Oracle Application Server, which has more than one vulnerability with a CVSS score of 9.3. In addition, six of the 26 security fixes affect the Oracle Application Server, and five of them are remotely exploitable without requiring a username or password.

Two fixes for Oracle Application Server are applicable for client-only installations, company officials said.  The affected components include the Oracle BPEL Worklist Application, Oracle Forms, Oracle Internet Directory, Oracle JDeveloper and Oracle JInitiator.

Amichai Shulman, chief technology officer and director of the application defense center at application security vendor Imperva, agreed with Julian on one point.

"This is a surprisingly small patch -- we haven't seen any smaller in the past three years," he told "That's a good sign, that they're gaining [on security issues]."

Shulman was puzzled by the 11g fix, noting that this CPU "included a fix for a vulnerability whose function had no effect, as strange as it sounds."

“Oracle does not disclose a lot of technical information about the vulnerabilities," he said. "For this particular vulnerability, they mentioned no possible effects, so how come it's a vulnerability?"

Shulman also noted flaws in Oracle's E-Business Suite and Oracle Forms, which can allow an attacker to take over a victimized machine.

In its previous update, issued in October, Oracle included 51 security fixes affecting numerous products. The company has scheduled its next update cycle for April 15.

Meanwhile, database-security vendor Sentrigo revealed this week in a survey that barely 10 percent of Oracle database administrators had applied the most recent CPU.

The Woburn, Mass-based vendor conducted "rolling" surveys of 305 database professionals at Oracle Users Group (OUG) meetings in the United States beginning last August at the Capital Area OUG in Reston, Va. It also surveyed Oracle database administrators in Chicago, Portland, Ore., Salt Lake City, Charlottesville, Va. and Cincinnati.

Just 31 of the OAU participants, or 10 percent of the 305 respondents, reported that they applied the most recently issued Oracle CPU. And 206 out of 305 OUG attendees, or 67.5 percent, said they had never applied any Oracle CPU.

"This survey scares the heck out of me," Mike Rothman, president and principal analyst of Security Incite, told today. "The database is where most of an organization's critical and regulated data resides and if it's not patched in a timely fashion, organizations are asking for trouble."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.