Database giant Oracle today released 101 fixes, marking its largest quarterly critical patch update (CPU) in more than a year.
The update delivered fixes for a host of company solutions, including Oracle Database (22 patches), Application Server (14), E-Business Suite (13) and PeopleSoft Enterprise (eight).
None of the bugs in Oracle Database - the vendor's most popular product - are remotely exploitable without valid authorization, according to the CPU. The highest Database risk assessment score - on a scale of 1 to 10 - was 4.2.
But Amichai Shulman, CTO of data security firm Imperva, objects to the low ratings, telling SCMagazine.com today that Oracle is attempting to downplay the severity of the flaws. He said even though the holes are not exploitable without valid credentials, they still pose a high-risk for most organizations.
"A lot of people have access to a database within an organization," he said. "Saying access credentials are an impeding factor is not that true. You have many low-privileged users in an organization."
Meanwhile, five of six vulnerabilities in the Oracle HTTP Server 5 are remotely exploitable without authentication, as are 25 holes in Oracle Application Express, an optional product included in some Database versions. Plus, 13 of 14 Application Servers can be remotely exploited.
This CPU appears to top any of the previous releases - Oracle began issuing quarterly updates in January 2005 - although Eric Maurice, security manager in Oracle's Global Technology Business Unit, said today in a blog post that this quarter's seemingly high total is misleading.
"More than one-third of the vulnerabilities patched in this CPU are in an optional products (35 vulnerabilities for Oracle Application Express) and do not affect most customers," he said. "It is also worth noting that 22 of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client."
In its most recent CPU in July, Oracle remedied 65 flaws in various products. That was preceded by 36 fixes in April, 82 in January and 80 in October 2005. Following the January fix, a Gartner analyst slammed Oracle, saying the Redwood Shores, Calif. company could no longer be considered "a bastion of security."
The goal of this CPU was to more clearly explain the extent of vulnerabilities to users. Specifically, this update began using the Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable and include a "high-level" overview of each defect and fix - similar to Microsoft's monthly security bulletins.
Click here to email Dan Kaplan.