Modernizing Authentication — What It Takes to Transform Secure Access
Oracle users, it's that time, again! The company has released its final Critical Patch Update (CPU) for 2008, with fixes for 36 vulnerabilities across the company's product portfolio.
The bulk of the fixes this time come for the Oracle Database Server -- though the most severe flaw resides in the Oracle WebLogic Server (formerly BEA WebLogic).
The CPU is a quarterly event for Oracle (NASDAQ: ORCL) users, with the
In the latest CPU, fifteen fixes are for the Oracle Database Server, an increase from the 11 reported in the July CPU. Of the new fixes, only one of them in the October CPU is remotely exploitable without authentication, thereby posing the greatest risk to users. Oracle has been detailing which flaws are remotely exploitable without authentication since October 2006
Oracle's Application Server Suite gets six security fixes, two of which may be remotely exploitable without authentication. At the same time, Oracle E-Business Suite and Applications is being patched for four security issues, two of which are labeled as being remotely exploitable without authentication. The PeopleSoft and JDEdwards Suite receives five fixes in this update, with only two being remotely exploitable without authentication.
The BEA Product suite, which only first appeared on the Oracle CPU in July, sees six security fixes in the latest update, five of which are remotely exploitable without authentication.
Oracle also provide Common Vulnerability Scoring System (CVSS) scores for its vulnerabilities, which is intended to provide system administrators with a risk metric for determining severity. Of the 36 updates in the October CPU, only one vulnerability -- for an Apache plugin in the Oracle WebLogic Server -- received the highest CVSS score of 10.
Eric Maurice, manager for security in Oracle's global technology business unit, noted in a blog post that the WebLogic issue is new, and not the same problem fixed by a previous security alert dealing with a similar issue.
"Vulnerability CVE-2008-4008 is a new vulnerability, which was reported to Oracle shortly before the creation of this CPU," Maurice wrote. "A fix for this vulnerability was therefore included in this CPU in order to provide a prompt resolution and to help ensure that the security posture of WebLogic customers is maintained."
The issue of whether a particular vulnerability is actually new troubles some security researchers.
"While small, this patch demonstrates ... the most frustrating issues about securing Oracle database servers," Amichai Shulman, CTO of database security firm Imperva told InternetNews.com. "Some of the vulnerabilities fixed by this patch appear in Oracle packages that have already been fixed at least once in the past three years."
This article was first published on InternetNews.com. To read the full article, click here.