Oracle Patches Three Dozen Vulnerabilities
Latest update tackles a slew of flaws -- though some critics claim the patches highlight problems with Oracle's approach.
The bulk of the fixes this time come for the Oracle Database Server -- though the most severe flaw resides in the Oracle WebLogic Server (formerly BEA WebLogic).
Oracle's Application Server Suite gets six security fixes, two of which may be remotely exploitable without authentication. At the same time, Oracle E-Business Suite and Applications is being patched for four security issues, two of which are labeled as being remotely exploitable without authentication. The PeopleSoft and JDEdwards Suite receives five fixes in this update, with only two being remotely exploitable without authentication.
The BEA Product suite, which only first appeared on the Oracle CPU in July, sees six security fixes in the latest update, five of which are remotely exploitable without authentication.
Oracle also provide Common Vulnerability Scoring System (CVSS) scores for its vulnerabilities, which is intended to provide system administrators with a risk metric for determining severity. Of the 36 updates in the October CPU, only one vulnerability -- for an Apache plugin in the Oracle WebLogic Server -- received the highest CVSS score of 10.
Eric Maurice, manager for security in Oracle's global technology business unit, noted in a blog post that the WebLogic issue is new, and not the same problem fixed by a previous security alert dealing with a similar issue.
"Vulnerability CVE-2008-4008 is a new vulnerability, which was reported to Oracle shortly before the creation of this CPU," Maurice wrote. "A fix for this vulnerability was therefore included in this CPU in order to provide a prompt resolution and to help ensure that the security posture of WebLogic customers is maintained."
The issue of whether a particular vulnerability is actually new troubles some security researchers.
"While small, this patch demonstrates ... the most frustrating issues about securing Oracle database servers," Amichai Shulman, CTO of database security firm Imperva told InternetNews.com. "Some of the vulnerabilities fixed by this patch appear in Oracle packages that have already been fixed at least once in the past three years."