Oracle today released 51 unique fixes as part of its latest quarterly security update.
The patches are comprised of:
· 26 fixes for Oracle Database products to address 10 vulnerabilities that may be remotely exploitable without authentication;
· a dozen fixes for Application Server, remedying eight flaws that may be remotely exploitable;
· seven fixes for the E-Business Suite, which contain no remotely exploitable vulnerabilities;
· six fixes for Enterprise Manager, sewing up five remotely exploitable holes; and
· three fixes for PeopleSoft Enterprise, addressing one remotely exploitable bug.
Some of the fixes correspond to vulnerabilities across products.
The most severe vulnerabilities affect Oracle Database and E-Business Suite and are rated seven out of 10, according to Oracle's Common Vulnerability Scoring System (CVSS).
"Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible," the company said today in an advisory.
For the first time, the database giant issued a pre-patch announcement that detailed its plans for today's release, much in the same way Microsoft does each month. The move was largely hailed as a way for IT administrators to get a better handle on the Oracle patching process.
But experts said Oracle - which has been forced to patch an increasing number of flaws over the past year - should concentrate on building security in.
"This is another step in the right direction by Oracle," said Paul Davie, CEO of U.K.-based database security vendor Secerno. "But users need to beware: it's not the vendor vulnerabilities they need to focus on but the critical weaknesses in their development process."
Click here to email reporter Dan Kaplan.
