By Lisa Vaas
July 12, 2005
Oracle has released a set of 49 patches that addresses new flaws in
multiple versions of its Database Server, Application Server,
Collaboration Suite, E-Business and Applications, and Enterprise
The patches are available on OTN (the Oracle Technology Network) .
The product flaws vary in terms of exploitability. Oracle Database has
12 flaws, including a flaw in Database 10g's Oracle OLAP (online
analytical processing) that requires Database privilege=97execute on
olapsys=97but which, according to Oracle's posting, is both easily
accessible and would have a wide impact.
Oracle's Application Server also has a dozen flaws that span the range
in terms of authorization required, severity of impact and ease of
exploitation. Collaboration Suite has six flaws and E-Business Suite
has 17, while Enterprise Manager has two.
The new database vulnerabilities addressed by this Critical Patch
Update don't affect Oracle Database Client-only installations
(installations that don't have the Oracle Database Server installed).
Therefore, according to Oracle's posting, it is not necessary to apply
this Critical Patch Update to client-only installations if a prior
Critical Patch Update, or Alert 68, has already been applied to the
The Oracle Database Server, Enterprise Manager and Oracle Application
Server patches are cumulative, containing all fixes from the previous
Critical Patch Update.
Not so for E-Business Suite or Collaboration Suite patches, however,
so customers using these products should refer to previous Critical
Patch Updates to identify previous fixes they need to apply.
This is the third of Oracle's Critical Patch Updates since the company
started cumulative patch releases in January.
Jon Oltsik, an analyst at Enterprise Strategy Group, said that Oracle
customers are mostly comfortable with Oracle's new patching strategy,
but they would like Oracle to be more proactive with emergency
"If any are high impact, if I were a customer and had a major
investment in Oracle, I wouldn't want to wait around for the
cumulative patch release," he said. "I want to know about them
immediately and apply them immediately."
In contrast, Microsoft offers custom services for big enterprise
customers. Oracle has resisted that, Oltsik said, since it's more
difficult from a process perspective to offer such services. "[But] if
I'm a big customer, I don't care about your processes," he said. "If
I'm buying from you, give me good service."
"People tend to criticize Microsoft from [the standpoint of] general
security and number of vulnerabilities," Oltsik said. "But from [the
perspective of] patching and management strategies, they're very, very
good and flexible. I'd say, more so than Oracle."
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 -
2,000+ international security experts,
10 tracks, no vendor pitches.