Oracle To Patch 55 Database, App Server Bugs Next Week

Taking a page out of rival Microsoft's playbook, Oracle on Thursday issued its first-ever advanced warning that spells out the number and severity of the patches it plans to release to fix flaws in its flagship database and other software.

According to the advance notification posted on Oracle's Web site, the quarterly Critical Patch Update, scheduled to roll out Jan. 16, will include 55 patches, including 24 for bugs that can be exploited remotely by attackers. Generally, such flaws -- characterized by Oracle as "remotely exploitable without authentication" -- are considered critical threats by security researchers and vendors.

The planned disclosures and patches affect Oracle Database (27 patches, 10 for remote code execution vulnerabilities), Application Server (12/8), E-Business Suite and Applications (7/0), Oracle Enterprise Manager (6/5), and PeopleSoft Enterprise and JD Edwards EnterpriseOne (3/1). Other products, including Oracle Collaboration Server, also must be patched because they use flawed components of some of the fixed applications.

Security vendor Symantec told users of its DeepSight threat management system to set aside time starting Tuesday to deploy the Oracle fixes. "Due to the critical nature of some of these issues, customers are advised to allocate resources for the immediate deployment and testing of vendor patches," Symantec said in its own alert on the upcoming security roll out.

Last October, Oracle instituted a ranking system for the vulnerabilities it planned to patch, and said the changes were made after gathering feedback from customers. The new advance notification -- similar to the practice at Microsoft, which releases limited information the week before its monthly patch release -- is another such customer-oriented tool, said Oracle Thursday.

"It is our hope that these pre-release announcements will become valuable tools to help security professionals analyze the criticality of the forthcoming CPUs and brief their management to obtain any necessary approvals for a timely application of the CPUs," said Duncan Harris, senior director of security assurance, in a blog entry.

Oracle's CPU will be released Tuesday at noon Pacific time, and will be available from the update page of the Oracle Technology Network.