Oracle users: you got off easy this time.
As part of its January Critical Patch Update (CPU), Oracle has released updates for 26 different issues affecting its applications. The January tally is nearly half of what Oracle usually updates in its last CPU, which came out in October of 2007.
The bulk of the fixes this time is related to Oracle's Database products. In total, Oracle is patching for eight different security fixes related to Oracle's Databases, though none is tagged with the "remotely exploitable without authentication" flaws.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i The "remotely exploitable without authentication" flaws are among the most dangerous because, as the title implies, they can be remotely exploited by an attacker without authentication. Oracle first began providing details on which flaws could be exploited this way in October of 2006 when it patched 101 flaws, over half of which were labeled as remotely exploitable.
The January 2008 CPU also contains 7 new security fixes for the Oracle E-Business Suite, 3 of the vulnerabilities may be remotely exploited without authentication.
Oracle Application Server gets 6 security fixes, 5 of them being remotely exploitable. Oracle PeopleSoft Enterprise gets 4 security fixes with 1 remote exploit. Rounding out the list is 1 fix for the Oracle Collaboration Suite.
While Oracle has managed to reduce the patch load with the January CPU, some have argued that Oracle users aren't paying as much attention to CPU's as they should. Database security vendor Sentrigo reported that most Oracle users don't actually patch their systems with the CPU.
There are a number of different reasons why Oracle DBAs (database administrators) might be lax in updating with the Oracle's CPU's.
Ryan Barnett, director of training with Breach Security told InternetNews.com that the biggest challenge to applying CPU patches sets seems to be the extensive regression testing that is involved. Barnett commented that many organizations have mission critical systems that employ many different technologies and versions of those technologies.