Oracle to issue 45 security patches

gallery

Oracle has said it will release 45 critical security fixes next Tuesday, promising to keep database and IT security administrators busy.

But they may be surprised to find that despite the large number, Oracle has said none of the patches can be exploited over a network without a user name and password.

This has led some to question the true meaning of the regular patching cycle, known as Oracle’s Critical Patch Update (CPU). Oracle describes the quarterly CPUs as “the primary means of releasing security fixes for Oracle products to customers with valid support contracts.”

And recent research carried out among Oracle users groups by security firm Sentrigo found that two thirds of the 305 database administrators, consultants and developers surveyed had never installed Oracle's CPU.

Nevertheless, the CPU includes 11 database fixes that affect a number of versions within the 11g, 10g and 9i releases.

Among the affected products are Oracle’s TimesTen in-memory database, Oracle Application Server, a number of PeopleSoft Enterprise products, Oracle Enterprise Manager Database Control, E-Business Suite, and WebLogic Server, which it acquired by purchasing BEA Systems. There are no new patches for Oracle’s J.D. Edwards suite of products.

Despite debate over their importance, Oracle said three of the seven WebLogic Server patches and all nine for Oracle Application Server regard vulnerabilities that can be exploited with no authentication needed.

More details on the CPU is available via Oracle’s pre-CPU notice. The full patches will be released next Tuesday, 15 July.

Email to a friend

Print this page