Oracle plugs 65 security holes

July patch update includes fixes for flaws, many serious, across the company's database and business products.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
As part of its quarterly patch cycle, Oracle on Tuesday released fixes for 65 security vulnerabilities that affect many of its products.

Many of the vulnerabilities are significant; 27 of the 65 bugs could be exploited remotely by an anonymous attacker, Darius Wiles, senior manager for security alerts at Oracle, said in an interview. Oracle has no suggested workarounds for any of the issues. Instead it is urging customers to patch their systems.

"We fix flaws in severity order. The fixes you see in the Critical Patch Update are the most critical," Wiles said. "We strongly recommend to customers that they apply these security patches as soon as they can."

Oracle's July Critical Patch Update delivers remedies for 23 flaws related to Oracle's Database products, one related to the Collaboration Suite, 10 in Application Server, 20 related to E-Business Suite and Applications, four in the Enterprise Manager, two in PeopleSoft's Enterprise portal and one in JD Edwards software.

In addition, the patch bunch includes fixes for four security vulnerabilities in client software that works with the Oracle database. This is only the second time since Oracle started releasing its Critical Patch Update, or CPU, in January 2005 that it has included fixes for software that runs on PCs, not servers.

"Customers need to think about patching desktops for the July CPU, whereas in the majority of CPUs only the database server needs to be patched," Wiles said.

Three of the four flaws in the client software are considered to be severe because they don't require any authentication and can be exploited remotely, according to Oracle's security alert.

One of the new Oracle fixes repairs a database vulnerability the company accidentally detailed in April. Usually secretive about security and critical of researchers who publicly discuss flaws in Oracle products, the company on April 6 itself published a note on its MetaLink customer Web site with details about the unfixed flaw.

In April, Oracle faced criticism for not delivering patches for all its products at the same time. The company is looking to improve on that this time around. "Our aim is to deliver quality patches on the official day of release," Wiles said.

The July patch release should include about 250 software fixes for Oracle products on multiple operating system platforms. Of those, approximately 10 are not available yet, but will be in the coming days. Some might take a bit longer, Wiles said.

Oracle is not aware of any attacks that exploit the flaws addressed in its Critical Patch Update, Wiles said. The company, which has been criticized for its slowness in patching flaws reported by security researchers, is still working on issues that have been brought to its attention and plans to address those in later patch releases, he said.