Oracle is out with its third Critical Patch Update (CPU) of 2010 and it's the company's biggest one yet this year, with fixes for the company's database, operating system and middleware offerings.

The previous Oracle CPU provided 47 fixes for security flaws, and was the first Oracle update to include patches for former Sun technologies, including the Solaris operating system.

Sun technologies are getting still more attention with today's update. The July CPU has 21 Sun-related patches in total, of which seven carry the highest risk by being remotely exploitable without the need for authentication. Among the high-risk vulnerabilities addressed in the CPU are a trio of flaws in OpenSSO, a Sun product for single sign-on that had actually begun as an open source project, and which now has a competing version supported by former Sun executives at software startup ForgeRock.


In the latest Oracle, CPU, the Sun Solaris Unix operating system is also being patched, receiving fixes or a pair of remotely exploitable flaws: one for an FTP server issue and the other for an RPC vulnerability.

Including Sun technologies in the Oracle CPU is intended to help provide greater visibility into security risks for administrators, Oracle said.

"As with previously acquired companies, Oracle aligns the security policies affecting the newly acquired product lines as closely as possible to existing Oracle Software Security Assurance policies," Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post. "This alignment is designed to help maintain the security posture of our customers as well as to ensure that Oracle's policies are consistent across all products."

However, the latest CPU also includes a number of patches for non-Sun products as well. For Oracle's database server technologies, the July CPU patches 13 issues. Oracle's namesake database server itself is being patched for six issues, of which four are identified as being remotely exploitable without user authentication. Oracle's TimesTen In-Memory database is also being patched for a pair of vulnerabilities, both of which are being remotely exploitable without user authentication

Oracle's Fusion Middleware software is being patched for seven issues, five of which Oracle said are remotely exploitable without user authentication. The Fusion issues, however, are mostly Java-related, according to Oracle.

"Note that the most critical of these Fusion Middleware fixes is related to previously released Java security fixes, which addressed vulnerabilities affecting the Java Runtime Environment," Maurice wrote.

Oracle patched Java in March for 27 different security issues spread across Java products.

The final Oracle CPU for 2010 is currently scheduled for release on Oct. 12.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.