At 51 Fixes, Oracle Cuts Security Holes

Oracle is out with its first Critical Patch Update of 2007 and it addresses 51
different security vulnerabilities. The number may seem high, but it’s actually less than past fixes, thanks in part to Oracle’s new reporting methods.

The 51 vulnerabilities affect Oracle Database Server, Oracle Applications
Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle
Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.

last CPU
came out in October of 2006 and addressed 101 new flaws. At the time, the database giant also introduced a new reporting transparency
for its updates that identify when a vulnerability is actually remotely
exploitable. As a result, Oracle is using Common
Vulnerability Scoring System (CVSS) scores in its CPU now.

“Our use of CVSS has generated a lot of support from customers and genuine
interest from the industry,” Eric Maurice, manager of security in Oracle’s
global technology business unit, wrote on Oracle’s security

The CVSS scores in the January CPU also reveal that Oracle is
reporting 51 vulnerabilities in total, but that seven of them have a CVSS “Base
Metric” score of zero.

“This is because this type of vulnerability represents problems that we
believe are not exploitable in a default database environment (as provided
by Oracle ‘out of the box’),” Maurice explained. “Code that runs affected
programs as a privileged user (e.g. custom code developed by customers,
which passes input from an untrusted source) may be exploitable. In
particular, it may allow malicious code to be run with administrative

Though the numbers aren’t terrible, there are still some very serious flaws
that the January update addresses. It includes some 26 patches for Oracle’s
database applications, 10 of which could potentially be remotely exploitable
without even a username or password. Oracle’s Application Server software
isn’t out of the woods with eight critical vulnerabilities that can also be
exploited remotely without usernames or passwords.

This article was first published on To read the full article, click here.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Latest articles

Top Cybersecurity Companies

Related articles


Please enter your comment!
Please enter your name here