Oracle Security Patches: Biggest Release This Year

By | Apr 26, 2012

Oracle security patches are typically released on a quarterly basis. Tuesday was the release date for this quarter's patches, and the release was a big one. Oracle announced they were releasing 88 patches to cover 10 different Oracle products. That was 10 more patches than were released back in January. The company urged users to apply the patches quickly because there was a real threat of attack to Oracle users. One such threat scored a 9 on a 10-point-scale for vulnerability, according to InfoWorld.

There were six patches released to fix vulnerabilities to Oracle's databases. Half of those vulnerabilities could be exploited without requiring a user name or password. With a vulnerability that significant, it is surprising that Oracle did not make a move to release a patch more quickly. IT departments at midsize businesses using Oracle should not only update their systems with Oracle security patches but also double-check for any inconsistencies that line up with the information being released by the company. Databases were not the only Oracle products that were vulnerable to being remotely exploited without authentication. Oracle Fusion Middleware had 11 patches released, and 9 of those were also vulnerable to remote exploitation without any kind of authentication. Within Fusion Middleware, three products were affected--JRockit, BI Publisher, and JDeveloper.

Multiple Oracle products with these sorts of vulnerabilities are a major security issue for IT departments at midsize businesses. While many Oracle products are superior to their counterparts, two back-to-back security patch releases mean an increase in security on users' ends is necessary. While no software or operating system is foolproof, it's a bit worrisome when over 150 patches are needed to secure a single company's products over three months.

Oracle should have released these major patches outside of their normal release schedule. Waiting to release patches on a calendar schedule and not based on the severity of the issue does not protect users. Of course, there is no forcing a change on individual companies. Until companies realize that holding to a calendar schedule is dangerous to their users, IT departments at midsize businesses must keep strong security measures in place that protect their entire network.

Another 15 of the new security patches covered Oracle Sun products, which include the GlassFish servers and the Solaris operating system. The other 56 patches covered the company's E-Business Suite ERP application, Supply Chain Suite, PeopleSoft Enterprise applications, Financial Services software, Oracle Industry Applications, Oracle Primavera and MySQL database. Many non-IT users will recognize MySQL as the database option most commonly used in everyday blogs.

Thankfully, the rest of the Oracle security patches covered items that, while still a threat, were not at the level of security risk of the ones to the databases and Fusion Middleware. Of course, that does little to reassure users of Oracle products. The next Oracle bug-fix will be to the Java SE programming language in June. Hopefully, Oracle can redeem itself with that release. All other Oracle products will see another security patch update in July. IT departments using any of these Oracle products will need to keep up to date with any and all security releases provided by the software giant.

Oracle released the patches and installation information on their website along with links to past security updates in case users had skipped previous updates. Skipping these previous updates could leave systems at an even greater risk than previously thought.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM's IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Heartbleed Facts and Fictions

By Rebecca Herold on Apr 25, 2014
Heartbleed has certainly been the security and privacy mistake/incident of April, if not of 2014. There has been a lot written about it, much good and much bad. I’ve gotten dozens of questions about it and provided an explanation in ...