Oracle released its first quarterly Critical Patch Update (CPU) of 2012 on Tuesday afternoon, addressing at least 78 security issues across its product lines.
In terms of raw numbers, Oracle's MySQL database has the highest number of fixed flaws, coming in at 27. The Sun Product Suite has 17 security updates which includes updates to Solaris as well as the GlassFish Enterprise Server. Oracle's Fusion Middleware is receiving 11 security updates, JD Edwards products are getting 8 fixes, and the Oracle E-Business Suite has 3 security fixes. Sitting near the bottom of the list is the Oracle Database Server, which is being patched for only 2 vulnerabilities -- even though security researchers have informed Oracle of several additional high-priority security flaws.
"We were very surprised to see the record-low number of database vulnerability fixes in this latest CPU," Alex Rothacker, Director of Security Research for Application Security Inc.'s TeamSHATTER told InternetNews.com. "While the number has been trending down over the past couple of years, it was a shock to see just two fixes and the continued lack of emphasis Oracle is placing on providing fixes for its DBMS."
Historically speaking, even over the course of 2011 at least, Oracle has fixed a variable number of database flaws. The July 2011 Oracle CPU provided 13 fixes for Oracle Database. In the April CPU, Oracle fixed six database flaws.
The two flaws fixed in the new January CPU for the database are also considered to be important by Oracle. The flaw identified in the Oracle Database patch summary as CVE-2012-0072 is one that is relatively easy to exploit, according to Eric Maurice, manager for security in Oracle's global technology business unit.
"It is a relatively easy to exploit vulnerability, which can result in a shutdown of the database (without compromising confidentiality or integrity of the information contained in it)," Maurice wrote in a blog post. "In other words, this vulnerability could allow an unauthenticated attacker to carry a denial of service attack against the targeted database, for example if it were to be exposed to the Internet."
The second database flaw is identified as CVE-2012-0082 and deals with an issue in something know as Systems Change Numbers (SCNs) which identify database transactions.
"In November 2011, journalists from InfoWorld contacted Oracle and stated that in a number of specific instances it appeared that the SCN of a database could grow at an excessive rate, and that this excessive SCN value could be propagated to other databases in the same environment through, among other things, database links," Maurice explained in a blog post. "Oracle quickly determined that this temporary SCN exhaustion issue could have certain security implications, and as a result, in accordance with Oracle policies, Oracle handled this issue as a security bug."
While the two fixed database bugs are important, TeamSHATTER's Rothacker noted that his team has submitted additional bugs for the Oracle Database that were not addressed in the January CPU.
"We currently have nine submitted vulnerabilities in the queue, several of which we deem to be at least as severe as those addressed in today's CPU," Rothacker said. "However, it is our policy not to provide any further detail to the public surrounding the specifics of any vulnerabilities until a patch has been released by the vendor."
While Oracle hasn't yet fixed all the outstanding issues reported by TeamSHATTER, Oracle might already have a solution in the market that could help protect users against some of the flaws. Oracle recently updated their Database Firewall, which performs an analysis of queries going to the database to help protect users against SQL Injection and other types of database attacks. However, the firewall is not a panacea.
"The two patches released today would not typically be detected by database firewall technology," Rothacker said. "In terms of those vulnerabilities submitted by TeamSHATTER, a database activity monitoring solution would be able to help mitigate the risk for some, but not all that are in the queue."
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network.