Oracle is out with its first Critical Patch Update (CPU) for 2011, fixing 66 vulnerabilities across its software portfolio. The largest category of patched software is Oracle's Sun Products suite with 23 fixes. The January CPU also marks the seventh anniversary of the CPU program at Oracle.

The CPU program expanded in 2010 with the addition of the Sun product lineup, which is well represented in the January update. The most severe Sun flaw fixes is for the Solaris operating system, which Oracle has rated a 10.0 on the CVSS (Common Vulnerability Scoring System). The highly rated Solaris flaw affects Solaris versions 8, 9 and 10 and is related to a flaw in the calendar manager service daemon. Across the Sun portfolio's 21 security fixes in total, nine of them are tagged as being remotely exploitable without user authentication.

Additionally Oracle is patching the Open Office suite for two flaws both of which are remotely exploitable without user authentication. The Open Office flaw affects version 3.2.1 of the open source office suite and is related to how the program handles Microsoft PowerPoint attachments. Oracle recently released Oracle Open Office 3.3 which is not listed by Oracle as being affected by the two flaws.


Oracle's Fusion Middleware portfolio is tagged for 16 fixes, 12 of which are remotely exploitable without the need for a username or password. The two most severe middleware flaws are rated with a 10.0 CVSS score by Oracle. One of the sever flaws affect the Oracle JRockit component while the other is within the node manger of the WebLogic Server.

Oracle Database server portfolio gets seven security fixes in the January CPU. The most severe flaw is one in the client system analyzer component within Oracle Enterprise Manager Grid Control, which received a CVSS score of 10.0 and is remotely exploitable without user authentication.

The relatively small number of database patches is a cause for concern according to Amichai Shulman, CTO of security vendor Imperva. Shulman noted that in the past, Oracle had a lot of momentum around fixing database vulnerabilities. In his view, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities in recent years as Oracle continues to add new companies and products.

"In the past, when Oracle had far fewer products, they would patch 100 database vulnerabilities at a time," Shulman told InternetNews.com. "One would assume that more products require more fixes, yet we are seeing smaller patches with less fixes for more products."

Eric Maurice, manager for security in Oracle's global technology business unit blogged that over the last five years the CPU program has been working well. Oracle transitioned to the CPU process in January of 2005 as a way to provide a predictable update cycle. Over the years, the process has been improved with the addition of the CVSS in 2006 as an effort to help provide additional information and transparency about the severity of flaws.

"The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products," Maurice blogged. "CPUs are issued on a predictable schedule published a year in advance. Very importantly as well, Oracle's fixing and disclosure policies are transparent and are designed to provide equal protection to all Oracle customers."

Imperva's Shulman however has a different view about Oracle's transparency when it comes to vulnerability disclosure. In Shulman's view, Oracle does not give a clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits.

"This lack of transparency is outrageous behavior," Shulman said. "Vendors expect researchers to shares details with them responsibly, yet they fail to do the same with security vendors and their customers."

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Keep up with security news; Follow eSecurityPlanet on Twitter: @eSecurityP.