The Inquirer-Home

Oracle issues its July critical patch update

Plugs 87 security holes across its product portfolio
Wed Jul 18 2012, 17:45

ENTERPRISE VENDOR Oracle has issued its critical patch update (CPU) advisory for July, plugging a total of 87 security holes across its product portfolio.

The fixes focus mainly on weaknesses in Oracle's Sun servers, with 25 fixes issued for the Glassfish application server and Solaris operating system.

A further 22 patches are listed for the company's Fusion Middleware family, warning that eight of the vulnerabilities can be remotely exploited without a username or password.

A fix relating to Oracle's Fusion Middleware product Jrockit has a Common Vulnerability Scoring System (CVSS) - a scoring system to judge seriousness of vulnerabilities - score of 10.0, the highest possible.

Six fixes are included for Oracle's MySQL database, although the company promised none of the weaknesses involved can be exploited remotely without credentials. A further four are listed for its Database products.

However, Oracle revealed that three of the database vulnerabilities included in the release can be exploited by an attacker over a network without the need for login credentials.

Amichai Shulman, CTO and co-founder at Imperva said the patch is an example of how big companies with a wide product line struggle to find the resources to keep all of their products up to date with security fixes.

"The database vulnerabilities are about denial of service, probably around the Oracle Listener component which helps users communicate with the database remotely." Shulman said.

"Interestingly, for three of these database vulnerabilities all you need is network access, nothing more."

Shulman highlighted how this component has been around for 25 years, "yet very serious issues persist".

"It emphasises the complexity of software and the need for security outside of the code base as it's written," he added. "This highlights why enterprises need a security solution on top of what comes with the database itself."

The patch updates are expected to arrive on 24 July. Oracle issued a warning urging customers to upgrade their systems as soon as they can. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015