Oracle users: you got off easy this time.
As part of its January Critical Patch Update (CPU), Oracle has released updates for 26 different issues affecting its applications. The January tally is nearly half of what Oracle usually updates in its last CPU, which came out in October of 2007.
The bulk of the fixes this time is related to Oracle's Database products. In total, Oracle is patching for eight different security fixes related to Oracle's Databases, though none is tagged with the "remotely exploitable without authentication" flaws.
The January 2008 CPU also contains 7 new security fixes for the Oracle E-Business Suite, 3 of the vulnerabilities may be remotely exploited without authentication.
Oracle Application Server gets 6 security fixes, 5 of them being remotely exploitable. Oracle PeopleSoft Enterprise gets 4 security fixes with 1 remote exploit. Rounding out the list is 1 fix for the Oracle Collaboration Suite.
While Oracle has managed to reduce the patch load with the January CPU, some have argued that Oracle users aren't paying as much attention to CPU's as they should. Database security vendor Sentrigo reported that most Oracle users don't actually patch their systems with the CPU.
There are a number of different reasons why Oracle DBAs (database administrators) might be lax in updating with the Oracle's CPU's.
Ryan Barnett, director of training with Breach Security told InternetNews.com that the biggest challenge to applying CPU patches sets seems to be the extensive regression testing that is involved. Barnett commented that many organizations have mission critical systems that employ many different technologies and versions of those technologies.