Oracle plugs 101 security flaws

As part of its quarterly patch cycle, Oracle released fixes on Tuesday for 101 security vulnerabilities across its products.

The Critical Patch Update includes remedies for 63 flaws related to Oracle's widely-used database products. There are also patches for 14 vulnerabilities in Application Server, 13 related to E-Business Suite, 8 in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD Edwards software.

"In terms of critical fixes, the majority of them lie within the application server product," said Darius Wiles, the senior manager for security alerts at Oracle. "There is a number that could be exploited both remotely and without authentication, and those are the ones that customers should be most concerned about and fix as soon as possible."

Oracle's October security update is the first of its quarterly bulletins to contain severity ratings. Also, the alert now more clearly denotes which flaws could be exploited remotely by anonymous attackers, the most serious type of vulnerability.

Many of the issues are significant. Thirty of the Oracle Database related flaws open systems up to unauthenticated, remote attacks, according to the alert. For Application Server, 13 flaws carry that risk, as does one in E-Business Suite and one in PeopleSoft products.

Of all the database-related flaws, 35 are in Oracle Application Express, and 25 of those carry the most serious risk. Application Express is an optional installation and isn't used by many Oracle customers, Wiles said. Application Server is more widely used and as such, more systems are at risk of flaws associated with that product, he noted.

"There is a lot of fixes this time?they seem to be getting on top of the bug fixing," Pete Finnigan, a security specialist in York, England, wrote on his blog Tuesday. "I am impressed by the new style advisory; it's not perfect, it is much better than it was."

Oracle's next patch day is Jan. 16.

[vikram.s]

Unbreakable Oracle?

I dont think so.

[fc11]

RE

Forgot to mention Mozilla. You should add the number of bugs in Oracle, Linux or Solaris, Open office and Mozilla and compare that number with the number of bugs in Microsoft.

[craigminah]

This is normal for Oracle

Oracle releases security updates on a quarterly basis so 101 bug
fixes isn't abnormal. Look at how many bugs Windoes fixes daily
and add them up for a quarter. Actually, a lot of the bugs in Oracle
are mirrored in their myriad products so it really may be only 30
actual bugs but some are duplicated in multiple products resulting
in 101 bugs.

[NewsReader_]

Please compare apples to apples

Oracle is a database application. Windows is an operating system. If you want to make a comparision to a Microsoft product, it should be SQL Server 2005.

SP1 of that product back in April fixed half as many issues.

Oracle was foolish for claiming their stuff was 'unbreakable' How many critical flaws have they fixed since then? How many did they actually disclose?

[fc11]

101 or 30 bugs only for database and app server!

If Oracle have 30 actual bugs, that is much more than the bugs in Microsoft SQL server plus comparible Microsoft application servers. Microsoft also ship operating systems. You should add the number of bugs in Linux OR Solaris AND Open office before you compare the number to Microsoft.

Also if you <a class="jive-link-external" href="http://bugtraq," target="_newWindow">http://bugtraq,</a> you can see that Microsoft really do not ship fixes daily. Microsoft ships about 10 fixes every month, which add up to about 30 per quarter. You got the impression from reading news where one bug was discussed many times by many people.