Oracle addressed 89 vulnerabilities affecting more than 20 of its products as part of its quarterly Critical Patch Update (CPU).
Among the most concerning of the bugs was a flaw in an XML Parser component for the popular Oracle Database Server, which could be exploited by a remote attacker with a username and password. The vulnerability received a common vulnerability scoring system (CVSS) rating of 9.0 out of 10, making it the most severe of the 89 flaws.
Other vulnerabilities of concern were two remotely exploitable bugs in Oracle's Solaris 11, an operating system developed with cloud computing needs in mind. The kernel and driver vulnerabilities received the second most severe CVSS ratings in the update, 7.8.
Craig Young, a researcher at Portland, Ore.-based security firm Tripwire, on Tuesday said in prepared comments sent to SCMagazine.com that the high number of Oracle vulnerabilities this quarter was concerning, especially since a substantial portion were found by those outside the company.
“The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code,” Young said. He also pointed out that this month's CPU credited 18 different researchers from more than a dozen different companies.
“It's also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities,” Young said. "By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end-users that Oracle's security practices are simply not working."
For Oracle's next CPU in October, the company announced it will begin to incorporate fixes for Java, consolidating its major updates for customers. The measure is part of an overhaul of changes Oracle is making to improve the security of its long-criticized Java browser plug-in.[An earlier version of this article incorrectly stated that the XML Parser flaw could be exploited by an unauthenticated attacker.]