Software // Enterprise Applications
News
1/12/2007
01:25 PM
Connect Directly
RSS
E-Mail
50%
50%

Oracle To Patch 55 Database, App Server Bugs Next Week

The 55 patches include 24 for bugs that can be exploited remotely by attackers, which generally are considered critical threats by security researchers and vendors.

Taking a page out of rival Microsoft's playbook, Oracle on Thursday issued its first-ever advanced warning that spells out the number and severity of the patches it plans to release to fix flaws in its flagship database and other software.

According to the advance notification posted on Oracle's Web site, the quarterly Critical Patch Update, scheduled to roll out Jan. 16, will include 55 patches, including 24 for bugs that can be exploited remotely by attackers. Generally, such flaws -- characterized by Oracle as "remotely exploitable without authentication" -- are considered critical threats by security researchers and vendors.

The planned disclosures and patches affect Oracle Database (27 patches, 10 for remote code execution vulnerabilities), Application Server (12/8), E-Business Suite and Applications (7/0), Oracle Enterprise Manager (6/5), and PeopleSoft Enterprise and JD Edwards EnterpriseOne (3/1). Other products, including Oracle Collaboration Server, also must be patched because they use flawed components of some of the fixed applications.

Security vendor Symantec told users of its DeepSight threat management system to set aside time starting Tuesday to deploy the Oracle fixes. "Due to the critical nature of some of these issues, customers are advised to allocate resources for the immediate deployment and testing of vendor patches," Symantec said in its own alert on the upcoming security roll out.

Last October, Oracle instituted a ranking system for the vulnerabilities it planned to patch, and said the changes were made after gathering feedback from customers. The new advance notification -- similar to the practice at Microsoft, which releases limited information the week before its monthly patch release -- is another such customer-oriented tool, said Oracle Thursday.

"It is our hope that these pre-release announcements will become valuable tools to help security professionals analyze the criticality of the forthcoming CPUs and brief their management to obtain any necessary approvals for a timely application of the CPUs," said Duncan Harris, senior director of security assurance, in a blog entry.

Oracle's CPU will be released Tuesday at noon Pacific time, and will be available from the update page of the Oracle Technology Network.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.