Oracle Patches 51 Flaws - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
1/17/2007
02:57 PM
50%
50%

Oracle Patches 51 Flaws

Of the 51 patches, 26 are in the company's flagship Oracle database.

Oracle on Tuesday released its first set of 2007 security updates with fixes for 51 flaws, 34 of which can be exploited remotely without authentication, a category typically classified as "critical" by security analysts.

Of the 51 patches -- one fewer than Oracle said would be released when it posted its first-ever pre-announcement bulletin last week -- 26 are in the company's flagship Oracle database. Other patched products include Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.

The January Critical Patch Update, as Oracle dubs its quarterly security fixes, was half as large as the previous one. That CPU, issued in October 2006, featured 101 patches.

"This wasn't the largest," says Amichai Shulman, chief technology officer of Imperva, an Israeli data center security vendor. "And we've seen a lot of these same vulnerabilities, or similar vulnerabilities in previous CPUs." It's not unusual, says Shulman, for already fixed Oracle vulnerabilities to reappear or to require repatching.

Oracle, which also recently instituted a scoring system to rank the risk of the individual vulnerabilities within a CPU, got good marks from Shulman for effort, but he says the company still has a long way to go to give customers enough information on what needs patching first.

"It's all still confusing," says Shulman. "What am I going to do with the pre-announcement? And once I see the CPU, how do I find out if I'm vulnerable or not? You can't get that from the pre-announcement, and you can barely get that from the CPU.

He also dinged Oracle for its risk rankings, saying that they were too low. "Oracle has the tendency to lower the vulnerability ranking. The most serious of this CPU is [ranked] 7 out of 10. But most every security expert would have ranked that one much higher."

Danish vulnerability tracker Secunia, for example, rated the overall CPU as "highly critical," its second-from-the-top mark.

One patch didn't make it into the CPU. "An issue was detected with one of the database fixes for a number of database versions," said Eric Maurice, Oracles' security manager, in a blog entry Tuesday. "Per our policy, which is intended to ensure that all customers have an equal security posture, we removed the fix from the January CPU." The omitted patch may be released in the next Oracle security update, which will appear April 17.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll