Oracle Fixes 36 Bugs In Patch Update
The Redwood Shores, Calif.-based software vendor on Tuesday said it patched 13 vulnerabilities in its database product, 11 bugs in the Oracle E-Business Suite and five bugs in the Oracle Application Server.
Oracle, which last October began scoring its vulnerabilities using the 10-point Common Vulnerability Scoring System, gave its highest threat rating -- a CVSS base score of 7.0 -- to an issue affecting the Core RDBMS component of the Oracle database.
However, the flaw only affects Oracle running on Windows XP with simple file sharing enabled, so it's not a problem for all Windows systems, David Litchfield, managing director of U.K.-based Next Generation Security Software, said in an e-mail interview.
Many of the flaws Oracle patched in this release are old issues, according to Litchfield, who said he reported the vulnerability to Oracle in 2002.
"This may indicate that Oracle is now in a position where they can 'clear the backlog,' indicating that most of the more important flaws have been found and patched," which suggests that future updates could be smaller, Litchfield wrote in a white paper on the new patch release.
None of Oracle's CVSS base scores for the other 35 vulnerabilities exceeded 4.2. The vendor also assigned CVSS scores of 0.0 to four database flaws, noting in an advisory that these "represent problems that are not exploitable in a default database environment."
Oracle also plans to alter the content of future patch updates for its server and middleware products to address the trend of customers not downloading certain platform and version combinations.
In the next patch release, scheduled for July 17, Oracle plans to only issue patches for these products if customers ask for them, as opposed to systematically creating patches.
"This change should not affect most customers, as we are only targeting inactive combinations," Eric Maurice, manager for security in Oracle's Global Technology Business Unit, wrote in a blog post.