Oracle’s July Critical Patch Update includes 89 patches, which seems like a lot. Is it?
Unlike Microsoft, which provides its users with a monthly regular patch cycle, Oracle uses a quarterly Critical Patch Update (CPU) approach.
The July CPU is now out, and it’s a big one. It provides no less than 89 security fixes across a wide swath of Oracle products including database, Fusion Middleware, MySQL, Oracle VM and Solaris.
The update does not include any new fixes for Oracle’s much maligned Java, which is currently patched on a separate cycle. Oracle plans to align its scheduled Java patch release cycle with the CPU starting in October.
Oracle’s namesake database received six patches this CPU, only one of which is remotely exploitable without authentication. Oracle’s open source MySQL database didn’t fare quite as well, with a total of 18 new security flaws, two of which are classified as remotely exploitable without authentication.
Oracle got the MySQL technology as part of its acquisition of Sun in 2010, though Oracle classifies other Sun technologies in the CPU under the title of the Sun Systems Products Suite. That suite includes the Solaris UNIX operating system that received a total of 16 new security fixes, with eight reported as being remotely exploitable without authentication.
The Fusion middleware suite is tagged for 21 fixes, with 16 of those being remotely exploitable without authentication. Fusion is Java middleware and includes the JRockit Java Virtual Machine.
The flaws in the July CPU include a number of issues that Oracle already patched in its June Java CPU. Oracle patched 40 different issues as part of that update.
“With the inclusion of Java in the normal Critical Patch Update schedule starting in October 2013, the release of JRockit and Java security fixes will be integrated,” Eric Maurice, director, Oracle Software Security Assurance wrote in a blog post.
Too Many Vulnerabilities?
The overall number of vulnerabilities, as well as the method by which those vulnerabilities were found is a cause for concern, according to Tripwire security researcher Craig Young.
“The constant drumbeat of critical Oracle patches is more than a little alarming, particularly because the vulnerabilities are frequently reported by third parties who presumably do not have access to full source code,” Young said.
This month’s CPU credits 18 different researchers coming from more than a dozen different companies. ”
Young added that it’s also noteworthy that every Oracle CPU release this year has plugged dozens of vulnerabilities.
“By my count, Oracle has already acknowledged and fixed 343 security issues in 2013,” Young said. “In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.