Oracle Ships Mega Update for DB, Server Flaws

Oracle has shipped a monster critical patch update with fixes for more than 100 security vulnerabilities in a wide range of database and server products.

The new-look bulletin, which includes CVSS (Common Vulnerability Scoring System) severity scores, patches about 120 bugs in the Oracle Database Server, Oracle Application Server, Oracle Application Express, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle's PeopleSoft Enterprise, and Oracle's JD Edwards EnterpriseOne applications.

According to Eric Maurice, security manager in Oracle's Global Technology Business Unit, more than one-third of the vulnerabilities covered in the quarterly patch release are in an optional product (35 vulnerabilities for Oracle Application Express) and do not affect most customers.

The October batch is the largest CPU released by the Redwood Shores, Calif., vendor since the quarterly release schedule was implemented in January 2005.

Read more here about Oracle's long-overdue security alerts makeover.

Cesar Cerrudo, CEO of Argeniss, a database security research company in Buenos Aires, Argentina, said the most serious bug affects Oracle Application Express (formerly called Oracle HTML DB) and could be exploited remotely without username/password authentication. The bug carries a CVSS base score of 7.0, the highest score in the entire CPU.

There are 22 different patches for the company's flagship Oracle Database product, but none is considered remotely exploitable without authorization. The highest CVSS score for the Oracle Database flaws is 4.2.

The vendor-neutral CVSS standard is used to compute severity scores strictly from metrics and formulas. Oracle offers two CVSS scores—on a scale of 1 to 10—to help customers determine which flaws are considered high-risk.

The Oracle CPU has undergone a significant makeover aimed at making it easier for customers to read and understand the information in the alerts. In addition to CVSS scores, it also features an extra column that explains whether vulnerabilities can be exploited remotely without user name and password authentication and an executive summary detailing what's being fixed in tabular form.

"What's amazing is there are still a lot of unpatched vulnerabilities, even after this big batch," Cerrudo said in an interview with eWEEK. "There are still more than 50 unpatched bugs that we reported to Oracle," he added.

Check out eWEEK.com's for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzer's Weblog.