Oracle's Patches Are 'Light Load,' Experts Say

But compared to previous Oracle updates, the first security bulletin of 2008 is small, experts say. Last's October's bulletin contained more than 50 patches and experts say that they've seen updates containing more than 100 fixes at a time.

"This is a relatively light CPU," said Ted Julian, vice president of marketing and security for Application Security, specializing in database security. "There're not any real blockbuster vulnerabilities here."

Altogether, the latest round of patches repair numerous flaws in a range of products that include several Oracle Databases and versions of Oracle's Application Server, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, Collaboration Suite, E-Business Suite, Enterprise Manager Grid Control, PeopleSoft Enterprise PeopleTools, and PeopleSoft Enterprise Human Capital Management.

The updates are part of Oracle's quarterly release, which occurs on or close to the 15th of January, April, July and October in a process known as Critical Patch Update or CPU. Vulnerabilities are given a ranking on a scale in which 6.8 is the highest number for servers and 9.3 the largest rating for Application Server clients.

With some exceptions, many of this quarter's CPUs are cumulative, although each advisory describes only the repairs added since the previous update.

As anticipated by security experts, database fixes occupied the largest share of January's CPU, with eight new critical database patches addressing problems in the advanced queuing, core RDBMS, Oracle Agent, Oracle Spatial and XML (Extensible Markup Language) software.

One significant component of this quarter's CPU is the introduction of the first patch for the 11g database -- a new development which might be of interest to enterprises, Julian noted. However, none of the eight database vulnerabilities can be exploited remotely and Julian said that none are "especially earth shattering."

In addition to the database patches are seven fixes for the E-Business Suite, three of which repair errors that leave systems susceptible to a remote attack, affecting CRM Technical Foundation, Mobile Application Server, Oracle Applications Object Library, Oracle Applications Framework, Oracle Applications Manager and Oracle Applications Technology Stack.

In addition, the update contains six new security patches for the Oracle Application Server, to fix five flaws that may be remotely exploited over a network without the need for a user name and password. Components affected by the vulnerabilities include the Oracle BPEL Worklist Application, Oracle Forms, Oracle Internet Directory, Oracle JDeveloper and JInitiator.

The update also contains one new fix the Oracle Agent component of the Enterprise Manager, which is vulnerable to exploitation without authentication. One fix was also issued for the Ultra Search component of the Collaboration Suite, repairing a flaw that can't be exploited remotely.

Oracle strongly recommended on its advisory that users update their software and apply current fixes as soon as possible, due to the fact that many of the errors are vulnerable to an outside, unauthenticated attack.

The advisory also recommended that users or businesses restrict network protocols or remove the ability to access certain packages from unprivileged users in order to protect their systems against or reduce the likelihood of attack.

For the first time, the January security bulletin also highlighted numerous individual experts who assisted the CPU effort with fundamental research that led to the discovery and repairs of the vulnerabilities. Individuals mentioned included Esteban Martinez Fayo of Application Security, Pete Finnigan, Joxean Koret and Alexander Kornbrust of Red Database Security; Ali Kumcu of inTellectPro; David Litchfield of NGS Software; Mariano Nunez Di Croce of CYBSEC S.A; and Alexandr Polyakov of Digital Security.

"I think this is a real positive step for security on that platform," said Julian, also noting "the more quickly users are going to get patches and the more effective those patches are likely going to be" as a result of the collaboration between the research community and the vendor.