This month, Oracle released its critical patch update and Java SE critical patch update at the same time. A full 56 vulnerabilities were patched in Oracle products, such as Oracle Database, Fusion Middleware, Application Server, Business Intelligence Enterprise Edition, Identity Management, WebLogic Portal and Server, Outside In Technology, Enterprise Manager Grid Control, and the E-Business Suite.
The remaining 20 patches were for flaws in Java SE and JRocket, which was added to the Java SE update this month. Oracle said 19 of these flaws could be exploited remotely without authentication.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply [critical patch update] fixes as soon as possible”, the company stressed in its advisory.
Amichai Shulman, chief technology officer at Imperva, said that Oracle’s critical patch scoring system downplays vulnerabilities, particularly for its database product.
“For example, the highest vulnerability is 6.5 out of 10 (CVE-2011-3525). But this one should probably be higher because: the effect is practically a full takeover of the database server; it's easy to exploit. Another database vulnerability gets a 5.5 (CVE-2011-3512) but should be higher as well. It's probably a SQL injection vulnerability which is relatively easy to exploit and could lead to a catastrophic dump of the database's contents", he said.