Oracle Patches 73 Vulnerabilities in April Update


Oracle came out this week with its latest quarterly Critical Patch Update (CPU). The April CPU addresses 73 different vulnerabilities spread across Oracle's product portfolio.

A total of 18 of the security fixes are listed for products from the Oracle Sun Products suite. The most serious flaw in the Sun suite is for a security issues with the GlassFish Enterprise Java middleware server. Oracle has assigned the GlassFish flaw a CVSS (Common Vulnerability Scoring System) rating of 10.0, the highest rating possible. The GlassFish flaw could enable an attacker to take control of an unpatched server remotely without authentication.

Oracle's Solaris Unix operating system is being patched for 11 flaws, ranging in severity from a CVSS score of 1.7 to 7.8.

Oracle is also providing an additional eight updates for the Open Office suite. Of those fixes, Oracle has identified seven vulnerabilities that may be remotely exploitable over a network without the need for a username and password.

The Open Office fixes come a week after Oracle announced that it was giving Open Office to the community and ending commercial sales. The Open Office project was forked in 2010 by community members that were unhappy with Oracle's leadership.

Oracle's Fusion Middleware portfolio gets nine updates, six of which are remotely exploitable without authentication. Oracle's E-Business Suite gets four updates while the PeopleSoft portfolio gets 14 and Siebel CRM is fixed for three flaws.

Oracle's namesake database server gets six updates as part of the CPU. Only two of the updates are identified as flaws that could be remotely exploitable without authentication.

Four of the six database flaws were reported to Oracle by Application Security Inc. by way of its TeamSHATTER researcher, Esteban Martinez Fayo.

"While we continue to disagree with the watered-down CVSS scores that Oracle assigns to its database vulnerabilities, it should not go overlooked that the majority of the fixes made in the last two CPUs were a direct result of the discoveries reported by TeamSHATTER researchers," said Alex Rothacker, Director of Security, AppSec's TeamSHATTER in a statement. "In a time when cyber criminals are making it abundantly clear that they are most interested in stealing sensitive information from databases, we urge all Oracle customers to heed the advice and guidance provided when it comes to patching the vulnerabilities disclosed in each CPU."

Sean Michael Kerner is a senior editor at, the news service of, the network for technology professionals.