Oracle To Release Patch To Fix 37 Bugs

Oracle's Critical Patch Update, which is being released next Tuesday, includes fixes for 13 Oracle Database bugs and five Application Server bugs.
Oracle announced it will be releasing a Critical Patch Update on Tuesday, April 17, to fix 37 bugs across its product lines.

The company described seven of the bugs as serious, according to a pre-release advisory. The Critical Patch Update is a collection of patches for multiple security vulnerabilities.

The update will fix 13 bugs in the company's flagship Oracle Database and five in the Oracle Application Server, noted the advisory. Eleven bugs are being fixed in the Oracle E-Business Suite. Some of these bugs can be remotely exploited without authentication.

Oracle did note that the list of bugs being fixed could change by next week when the patch is released.

"It sounds like a typical Oracle patch," said Johannes Ullrich, chief research officer at the SANS Institute and chief technology officer for the Internet Storm Center, in an interview. "They send out patches quarterly so there tends to be loads of them. The thing with Oracle is that the database is behind a firewall and not directly connected to the outside, so it's not as bad. Oracle, though, is more than just a database. There are all these little add-on products and it's not always clear what add-ons you have to have installed to be vulnerable to different bugs."

The company is taking a page out of Microsoft's book by releasing advance advisories that a patch update is coming out. The first advance warning came in January. That patch fixed 51 bugs, including 26 that were in the Oracle database.

The January patch and the planned April patch are significantly smaller than the security update that came out in October. That one fixed 101 bugs.

Microsoft released its monthly Patch Tuesday update this week. It fixed five flaws, including a critical bug in Windows Vista. The update also included the emergency .ANI patch that was first issued last week. Ullrich explained the .ANI patch was re-released to make sure users who only check for the monthly updates would be protected from the exploits that have been circulating on the Internet.

Editor's Choice
Samuel Greengard, Contributing Reporter
Cynthia Harvey, Freelance Journalist, InformationWeek
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Astrid Gobardhan, Data Privacy Officer, VFS Global
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing