Oracle is out this week with its July critical patch update (CPU), patching at least 78 different vulnerabilities across all of its various product lines. Oracle's last CPU came out in April fixing 73 vulnerabilities.

Topping the list of vulnerabilities by category is the Oracle-Sun product suite which is being fixed for 23 issues. Oracle Enterprise Manager Grid Control is being patched for 18 security issues while Oracle's Database Server is being fixed for 13 flaws. Rounding out the list of flaws are seven flaws that are being fixed for Oracle's Fusion middleware.

"Oracle's acquisition of companies like PeopleSoft and Sun, in addition to its own diverse product portfolio has made the CPUs large and dense," Amol Sarwate, Vulnerability Labs manager for Qualys noted in an email sent to "The CPUs are becoming huge. But due to the diversity of affected products, our guess is that many larger organizations could have specialized teams working on different products in order to make the Oracle quarterly CPU a bit more manageable."

While the diversity in products might make the CPU manageable for some, Amichai Shulman CTO of security vendor Imperva has some concerns about how Oracle actually ranks and rates vulnerabilities.

In an email sent to, Shulman noted that for this release and, historically, Oracle's security scoring clearly doesn't always reflect the true operational risk.

In terms of database vulnerabilities, Shulman specifically noted that CVE-2011-2253 is rated as a 7.1 on the severity scale, for example. That said, the vulnerability requires privileged systems access to abuse the vulnerability. This would place the problem much lower on the priority list. In contrast, Shulman said that CVE-2011-0835 and CVE-2011-0880, allow an attacker to take over the entire database with just a valid set of credentials yet scores much lower at 6.5.

"Unfortunately, given the pervasiveness of the Oracle database, mislabeling the security impact of vulnerabilities can adversely affect the risk management process," Shulman said.

Shulman also warned about flaws in the Oracle Secure Backup and JRockit products, which are being fixed for flaws with the highest severity rating of 10.

"These products are notorious for producing severe vulnerabilities," Shulman said. " The lesson? Oracle should take a closer look at the security of these products as their poor track record may indicate a deeper systemic security problem"

Oracle issues CPUs on a quarterly basis. The next CPU is scheduled for October.

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.