14 DAY TRIAL // Oracle is preparing to release a batch of patches that will address 59 vulnerabilities affecting hundreds of its products. The security issues in the TimesTen In-Memory Database and Oracle Secure Backup carry the highest risk score.
The Solaris products suite, acquired by Oracle from Sun, registered the highest number of vulnerabilities for this update – 21. Affected products in this line include Access Manager, OpenSSO, Solaris, Solaris Studio, Sun Convergence, Sun GlassFish Enterprise Server, Sun Java System Application Server and Sun Java System Web Proxy Server. Seven of these vulnerabilities can be exploited remotely without the need of authentication.
Oracle applications like the Oracle E-Business Suite, Oracle Supply Chain Products Suite and the the Oracle PeopleSoft and JDEdwards Suite account for another 16 of the vulnerabilities, out of which six are remote exploitation without authentication. Another thirteen vulnerabilities were located in components of the Oracle Database, like Application Express, Export, Listener, Net Foundation Layer, Network Layer, Oracle OLAP, Oracle Secure Backup and TimesTen In-Memory Database.
The Oracle Fusion Middleware product was also affected by seven new security bugs. Five of these vulnerabilities can be exploited over a network without requiring authentication. The flaws were found in the Application Server Control, Jrockit, Oracle Business Process Management, WebLogic Server, WebLogic Server- Plugins for Apache, Sun and IIS web servers and Wireless components. Finally, the last vulnerability, which is also remotely exploitable was found in the Oracle Enterprise Manager Grid Control, more specifically in its console component.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the company says in its pre-release announcement.
Oracle follows a quarterly patch cycle with scheduled updates shipping every January, April, July and October. According to a recent study from vulnerability management firm Secunia, since 2009 Oracle has been on a descending trend regarding the number of vulnerabilities discovered in its products. The company has been overthrown by Apple from the first position in this top and is currently in second place.
You can follow the editor on Twitter @lconstantin