Oracle Rolls Out 51 Security Patches

Oracle on Tuesday released a new Critical Patch Update addressing 51 security flaws across a variety of its products. The release was Oracle’s ninth such quarterly update, and was the first to be preannounced. The release was initially announced last Thursday.

Included among the patches are security fixes for Oracle Database Server, Oracle Applications Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager and Oracle PeopleSoft Enterprise Applications.

Twenty-six of the patches are for Oracle Database products, many of them addressing vulnerabilities to remote intrusion without a user name or password. The update also includes non-security fixes that are required by the security patches. The company recommends that customers apply all patches promptly.

52 Minus 1

Although the preannouncement had indicated that 52 patches would be released, one was withheld at the last minute after a technical problem was discovered, according to a blog written by Eric Maurice, manager for security in Oracle’s Global Technology Business Unit.

“Per our policy, which is intended to ensure that all customers have an equal security posture, we removed the fix from the January CPU,” Maurice said. The missing patch will be released in the next Critical Patch Update, due in April, he added. The last Critical Patch Update, released in October, included 101 fixes.

Starting last October, Redwood Shores, Calif.-based Oracle expanded its Critical Patch Update documentation to include executive summaries and common vulnerability scoring system (CVSS) scores to reflect the severity of the security flaws being addressed. It also began explicitly identifying vulnerabilities that could be remotely exploitable without authentication via user name and password.

By preannouncing the patches coming in forthcoming updates and providing expanded information about what they will entail, the company hopes to help customers be better prepared and keep their data safe.

Listening to the Customers

“Oracle introduced these changes as the result of feedback we received from many of our customers,” Maurice explained. “We hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each [update] and help them obtain patching decisions from their senior management more quickly.

“Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication.”

The improved communication with customers seems to be a strategy Oracle has embraced following its acquisition of PeopleSoft, Siebel and others, and is bound to improve customer relations, noted Rebecca Wettemann, vice president of research for Nucleus Research.

“I think it’s a great move on Oracle’s part,” Wettemann said. “The more they can help customers plan for the future, the happier and more loyal those customers will be.”