Oracle is moving quickly to secure its new Sun Microsystems technology assets. In the first Critical Patch Update (CPU) from Oracle (NASDAQ: ORCL) since it completed its acquisition of Sun, the database giant is providing 16 fixes for Sun products, five of which are specific to the Solaris operating system.
In total, 47 vulnerabilities across Oracle's product lines are being patched as part of the company's April 2010 CPU -- the latest in Oracle's quarterly roundup of patches.
"With the recent close of the Sun acquisition, both security organizations have worked diligently to align Sun's previous security practices with Oracle's," Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post. "The rapid inclusion of the Solaris product lines in the Critical Patch Update and the extension of Oracle Software Security Assurance to Sun technologies are evidence of the flexibility of Oracle's security assurance programs."
Maurice added that having a predictable patching schedule helps to provide security benefits for all Oracle users. With past acquisitions, Oracle has also rapidly integrated its new technologies into its CPU process. One example is that Oracle first began adding BEA products to the CPU in July 2008, just seven months after Oracle acquired the company.
In addition to the six flaws patched in Solaris this week, the Sun component of Oracle's April CPU includes fixes for Sun Cluster, Convergence, Java System Access Manager, Java System Communications Express, Java System Directory Server, Sun Ray Server Software and Sun Management Center. A number of the vulnerabilities could potentially prove dangerous, with eight of the 16 total flaws fixed in Oracle's new Sun technology being a type that could have been exploited by an attacker remotely without a username and password, the company said.
Flaws that can be remotely exploited without authentication are often considered the most serious as they can be easier to execute.
In addition to the Sun fixes, Oracle's Database Server is being patched for seven vulnerabilities. Two of the vulnerabilities were first reported earlier this year by security researcher David Litchfield at the Black Hat DC Conference.
Oracle's Maurice noted that none of the Database Server issues are remotely exploitable without authentication.
In total across the April CPU, 28 of the 47 new vulnerabilities are remotely exploitable without authentication. In contrast, Oracle's January CPU contained fixes for 24 reported vulnerabilities, 13 of which were remotely exploitable without authentication.
In addition to the database fixes, Oracle's Fusion Middleware product family is being patched for five issues this week, all of which may be remotely exploitable without authentication. Oracle E-Business Suite is being patched for eight new security fixes, while Oracle Industry Applications Product Suite gets six fixes and Oracle Collaboration Suite gets tagged for one issue.
The next Oracle CPU is currently scheduled for July 13.