Oracle released a quarterly patch update on Tuesday containing 51 fixes, one less than originally expected.

The January 2007 update contains security bug fixes that address vulnerabilities in a wide range of Oracle enterprise software products including flaws in Oracle Database, Application Server, Enterprise Manager, Identity Management, E-Business Suite, Developer Suite, and the PeopleSoft software packages.

More than half the patches (26 of the 51) involve Oracle's flagship database software products. Nine of these might be exploited without the benefit of knowing a user name or password, potentially making them far easier to exploit. Of these, eight involve Oracle HTTP Server. The promised, but delayed, security fix also affects Oracle's database software.

The Oracle patch batch also includes 12 new security fixes for Oracle Application Server, eight of which may be remotely exploitable without authentication, as well as seven new security fixes for the Oracle E-Business Suite. Three patches for Oracle PeopleSoft Enterprise PeopleTools, one of which may be remotely exploitable without logging on, and six patches for Oracle Enterprise Manager (five remotely exploitable) complete the unfestive 51.

Secunia reports that the impact of some of the vulnerabilities is unclear while others might be harnessed to gain access to sensitive information, run denial of service attacks, or conduct cross-site scripting and SQL injection attacks.

Oracle has been criticised in the past over the time it takes to develop security patches, and been asked to be more transparent about its security practices. In October, during its last release cycle, Oracle began rating the severity of bugs in its applications according to the Common Vulnerability Scoring System (CVSS), an industry-wide initiative designed to standardise vulnerability rating. Oracle rates this quarter patch batch at 7.0 in a scale from zero to 10, where 10 indicates impending internet meltdown (or some such calamity).

Amichai Shulman, CTO of Israeli database and application security firm Imperva, reckons that some of the vulnerabilities are more severe than Oracle suggests. In particular, he highlighted flaws in Oracle's HTTP server that might be exploited remotely without authentication. "The SSL implementation flaw is the worst of the lot," he added.

A number of the flaws might lend themselves to SQL injections attacks. Exploits would not be difficult for a skilled hacker to craft, Shulman added. Meanwhile, applying the patches would normally involve downtime so it might be some time before enterprises are ready to roll-out fixes.

Long lead times are involved in developing database packages, and this is as true for IBM as it is for Oracle. For this reason releasing Oracle updates on a monthly instead of quarterly basis is unrealistic, according to Shulman.

He added that although Oracle is making some progress in improving its patching process it ought to to be more flexible about the possibility of releasing unscheduled fixes closer to the time when the most severe security flaws are discovered. ®

Related stories

• Old people can sabotage software too (10 April 2008)

  https://www.theregister.com/2008/04/10/software_project_sabotage/

• Stay ahead of Web 2.0 worms (7 January 2008)

  https://www.theregister.com/2008/01/07/xss_tactics_strategy/

• Oracle drops litter of summer patches (18 July 2007)

  https://www.theregister.com/2007/07/18/oracle_summer_patch_release/

• Oracle preps July patch blitz (13 July 2007)

  https://www.theregister.com/2007/07/13/oracle_patch_alert/

• Oracle promises 37 spring security patches (11 April 2007)

  https://www.theregister.com/2007/04/11/oracle_spring_patch_batch/

• Oracle puts low-price on information (26 February 2007)

  https://www.theregister.com/2007/02/26/oracle_information_lifecycle_management/

• Microsoft's fat patch Tuesday (14 February 2007)

  https://www.theregister.com/2007/02/14/ms_patch_feb/

• EnterpriseDB goes after Oracle's European users (26 January 2007)

  https://www.theregister.com/2007/01/26/enterprisedb_european_office/

• Bug brokers offering higher bounties (25 January 2007)

  https://www.theregister.com/2007/01/25/bug_brokers_offering_higher_bouties/

• Bullseye of Oracle patches due Tuesday (12 January 2007)

  https://www.theregister.com/2007/01/12/oracle_bulletin/

• 'Big one' coming for Oracle database users? (29 November 2006)

  https://www.theregister.com/2006/11/29/oracle_database_security/

• SQL Server and the 7.5-day MTBF (28 November 2006)

  https://www.theregister.com/2006/11/28/myth_legend_5/

• DBAs brace for week of Oracle bugs (24 November 2006)

  https://www.theregister.com/2006/11/24/week_of_oracle_bugs/

• Oracle releases 11g database beta (23 October 2006)

  https://www.theregister.com/2006/10/23/oracle_11g_database_beta/

• Oracle's mega-patch shuts 101 doors (18 October 2006)

  https://www.theregister.com/2006/10/18/oracle_cpu_mega_patch/

• Oracle to provide clearer vulnerability ratings (13 October 2006)

  https://www.theregister.com/2006/10/13/oracle_revamps_security_update/

• Unpatched enterprise security bugs proliferate (24 August 2006)

  https://www.theregister.com/2006/08/24/0-day_manace/

• Oracle in war of words with security researcher (26 January 2006)

  https://www.theregister.com/2006/01/26/security_researcher_versus_oracle/