Oracle sends out early warning over patches

gallery

Oracle is now giving system administrators prior warning on upcoming security patches, following Microsoft's lead.

The database company is to issue 52 patches to fix vulnerabilities in its products. Its Critical Patch Update will contain a total of 27 new security fixes for Oracle Database products, 10 of which may be remotely exploitable without authentication, (which means they may be exploited over a network without the need for a username and password).

Another fix is applicable to Oracle Database client-only installations. The other patches affect the company Application Server, Collaboration Suite, E-Business Suite and Applications, Enterprise Manager and PeopleSoft Enterprise and JD Edwards EnterpriseOne products.

Experts welcomed the decision to pre-announce patches.

"It's another step in the right direction for Oracle and this allows IT managers to get to grips with essential patching earlier." says Paul Davie, chief executive officer of security company Secerno. "But users need to beware. It's not vendor vulnerabilities they need to focus on but critical weaknesses in their development processes."

He said that vulnerabilities in vendor solutions are an issue and can be mitigated to some extent by timely patching but relying on patch management alone to solve database security problems wasn't a good idea.

"The continuous pressure on developers to drag more and more functionality out of their database should be a much greater cause for concern," said Davie. "Errors in deployment caused by poorly configured databases, inappropriate access permissions or badly engineered applications accessing the database are an increasingly worrying trend."

Email to a friend

Print this page