Oracle Critical Patch Update Is A Big Debugger

Oracle will patch 78 software vulnerabilities across its product portfolio, including the database, PeopleSoft and Solaris

Oracle will deliver patches for almost every product in its portfolio in its quarterly Patch Tuesday update next week. July’s update package is slightly larger than the April update in which 73 issues were fixed and a number of critical flaws were patched.

Oracle plans to fix 78 security vulnerabilities, including 13 issues in its flagship database software in the next Critical Patch Update (CPU), the company said in its CPU pre-release announcement. Of the fixed issues, Oracle classified 27 vulnerabilities as critical or issues that may be exploited remotely without requiring a user name or password.

A Wide-Ranging Set Of Fixes

July’s CPU will contain updates to Oracle Database Server 11g and 10g, Oracle Fusion middleware, Oracle Enterprise Manager Grid Control, Oracle Application Server, Oracle Identity Management, E-Business suite, Supply Chain product suite and PeopleSoft will be updated. There will also be security fixes addressing security flaws in the Oracle Sun product suite, including Solaris, SPARC and VirtualBox, according the Oracle’s pre-release announcement.

This quarter’s CPU is expected on July 19.

“I’m glad to see that Oracle has addressed some of these critical vulnerabilities,” Josh Shaul, CTO of Application Security, told eWEEK.

Of the 13 database fixes, two are considered critical, and two are applicable to client-only installations where Oracle Database Server is not installed. The highest CVSS (Common Vulnerability Scoring System) Base Score for database bugs was 7.1.

The CVSS is used to assign a score with each disclosed vulnerability to determine a sense of urgency on when it should be patched. In many organisations, if a vulnerability is not reported as critical or has a CVSS score of 7.0 and higher, it is less likely to be considered urgent or worthy of a fix, according to Application Security’s TeamSHATTER researchers.

There are three fixes for Oracle Secure Backup, all of which are critical. The highest CVSS Base Score was 10, the highest score possible under the system.

There will be seven fixes for Oracle Fusion middleware, of which two are critical. The highest CVSS score was also 10. The middleware patches will include fixes to the Oracle Security Service and JRockit.

Of the 18 vulnerabilities fixed in the Oracle Enterprise Manager Grid Control, nine may be critical. The highest CVSS score is 6.8. The E-Business suite has only one fix, which is critical and rated 4.3 while the single vulnerability in the Oracle Supply Chain products suite is not critical, and scored a mere 4.0.

“It’s disappointing to see Oracle introducing new vulnerabilities to their customers through these security products (Database Vault and Enterprise Manager), but it’s encouraging to see them being addressed,” Shaul said.

The PeopleSoft update addresses 12 new fixes, only one of which is remotely exploitable. The severity appears to be low, as well, as the highest CVSS score was 5.5. The Oracle Sun suite had the greatest number of bug fixes, at 23 new patches. Nine were critical, and the highest CVSS score was 10. Bugs were addressed in GlassFish Server, Solaris Cluster, VirtualBox for running virtual machines, Solaris operating system and for the SPARC processor.

Java is not included in the Sun Products suite update as Oracle still has a separate update cycle for client-side Java products. In the last update, in June, 17 Java vulnerabilities were patched.