Oracle has had an interesting record for the past three and a half years when it comes to security. Since January 2005, Oracle has not had to release an out-of-cycle security alert for its products.
That record ended this week with the public report of a serious vulnerability in Oracle's BEA WebLogic Web server, which rates a 10 on the Common Vulnerability Scoring System (CVSS) scale.
The vulnerability could be remotely exploited by an attacker without authentication and could leave a WebLogic server at the mercy of a hacker.
The out-of-cycle alert comes barely two weeks after Oracle's July critical patch update, or CPU, which is a quarterly release for security updates to Oracle products. The July CPU was also the first one that included the BEA WebLogic server since Oracle acquired BEA earlier this year.
Ryan Barnett, director of application security at Breach, a software vendor in this market, noted that though the alert is an out-of-cycle patch for Oracle, it's not uncommon for BEA and not necessarily more severe.
"I would not attribute the timing of this alert to mean that it is any more severe than other high alerts issued by Oracle," Barnett told InternetNews.com. "Keep in mind that Oracle acquired BEA back in January of this year," he explained. "As you might expect, it often takes some time for organizations that have merged to iron out all of their processes, and in some cases they remain somewhat autonomous."
Barnett argued that while Oracle aims to release only four CPUs a year, it appears that the BEA division is on its own advisory patch alert cycle for its products. As evidence, Barnett pointed to BEA's alert repository, which already shows 30 alerts released for 2008.