Oracle Set To Release 46 Bug Fixes

News about the launch of Oracle's next-generation database is sharing headlines this week with an alert about 46 patches that will be arriving next week to fix various vulnerabilities in Oracle software.

Oracle just released the 11g database, complete with many new features and corresponding Oracle University classes designed to help customers learn how to use all the new bells and whistles. Third-party companies, such as Tele Atlas and 170 Systems, piggybacked on the 11g announcement with news of software designed to work with 11g.

By most accounts, it has been a week that many enterprises have been waiting for. But I.T. admins might be looking to plug the holes in several Oracle products next week before installing the new database. On Tuesday, Oracle will release patches to fix issues in 10g, Application Server, and E-Business Suite.

Database Flaws

"Oracle is a staple of many enterprise environments, so vulnerability management for this application is very important to most administrators," said Ken Dunham, director of the Rapid Response Team at VeriSign iDefense. "The general trend of vulnerability disclosure for the industry is on par to date, including Oracle."

The 10g database flaws might be of special interest to those enterprises that do not plan to upgrade right away to 11g. Oracle said the patch for 10g contains 20 security fixes, including one fix for a vulnerability in Application Express. Two of the bugs can be remotely exploitable without authentication.

With nearly half of the flaws in the latest round of Oracle patches in 10g alone, should companies be overly concerned about the fate of 11g? Dunham said he doesn't think so. Oracle, after all, does not release fixes every month like Microsoft does. Oracle's last release in April fixed 37 flaws.

"Oracle can release large numbers of patches at various times throughout the year," Dunham said. As a general rule, he explained, little information is disclosed about the flaws as part of Oracle's plan to minimize potential hacker activity.

Other Fixes

The update coming next week contains four new security fixes for Oracle Application Server. Three of these vulnerabilities can be remotely exploitable without authentication. Two new fixes are applicable to client-only installations.

Fourteen of the patches fix critical flaws in the Oracle E-Businsess Suite. Six of them can be remotely exploited. In addition, there is one new fix that applies to the Instant Messaging/Presence component of Oracle Collaboration Suite. It is not remotely exploitable without authentication, however.

Finally, the Oracle Enterprise Manger has no known vulnerabilities, but the Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne software contain eight collective flaws.

yahoo.com/