Oracle Patches 65 Vulnerabilities
The Critical Patch Update (CPU) contains patches for 27 flaws in Oracle Database, 20 in E-Business Suite, 10 in Application Server, 4 in Enterprise Manager, 2 in PeopleSoft Enterprise, and 1 each in Collaboration Suite and JD Edwards HTML Server.
Of the 27 Oracle Database bugs, 4 are fixes for client-side systems that connect to database systems.
While Oracle doesn't rank its fixes as do Microsoft and Apple, third-party security vendors put users on notice. Symantec, for example, rated the impact of the vulnerabilities as "10," its highest, while Danish bug tracker Secunia tagged the CPU as "Highly critical," its usual label for an Oracle CPU.
Security organizations bemoaned the lack of detail in the update bulletin, an Oracle trademark. "Due to a lack of information, specific attack scenarios cannot be provided," said Symantec in its alert to DeepSight Threat Management System customers.
Oracle again also caught flak for the its three-month update schedule. "Three months is way too longthey could come up with some workarounds in those months," said Swa Frantzen, an analyst with the SANS Institute's Internet Storm Center.
Both criticisms -- lack of guidance and the quarterly updates -- are regularly made each time Oracle rolls out patches, including after the batch issued in April that counted 36 fixes and the January CPU which fixed 82 flaws.
What information Oracle does provide can be found in this online advisory.