Oracle announced plans to deliver 46 patches on Tuesday to repair a number of vulnerabilities in its database and associated products.The quarterly critical patch update will address 20 flaws in the Oracle Database, with the most critical vulnerability having a severity level of 4.2 out of 10, according to the pre-release announcement. Two of the bugs may be remotely exploitable without exploitation.
The security release also will resolve holes in Application Server, Secure Enterprise Search, Application Express, Collaboration Suite, E-Business Suite and the PeopleSoft Enterprise solutions, which includes PeopleTools, Human Capital Management and Customer Relationship Management.
This is the third security update since Oracle launched a Common Vulnerability Scoring System (CVSS) to rate bugs, identify those flaws that are critical and remotely exploitable, and include a "high-level" overview of each defect and fix — similar to Microsoft's approach.
Ted Julian, vice president of marketing and strategy at database security firm Application Security, told SCMagazine.com today that Oracle is helping users better manage the patches.
"You have to give them credit for making progress on this issue," Julian said. "They’ve tried to be responsive."
The patches come on the heels of Wednesday’s unveiling of Oracle Database 11g, the first upgrade in four years of the California-based company's most popular offering. The new version features a number of security enhancements, including support for case-sensitive passwords, hot patching, a so-called audit vault to address insider threats and encryption capabilities beyond "column-level encryption.
The new version, billed as Oracle’s most reliable and performance-filled to date, endured a nine-month beta test period. An Oracle spokesperson could not be reached for comment.
In April, Oracle released 36 patches, one of the smallest patch updates since the database giant began issuing quarterly distributions more than two years ago. Last July’s update offered 65 fixes.