The most severe vulnerability affects Sun Products Suite’s Solaris, which received a score of 7.8 out of 10 on the company’s vulnerability scoring scale. The most flaws will be fixed in MySql Server, with 27 patches.
Oracle’s popular Database Server will get two security fixes, one of which may be “remotely exploitable without authentication”, which means a hacker could exploit the flaw over a network without the need for a username and password. The Database Server components being fixed are the Core RDBMS and the Listener.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible”, the company said in its announcement.
Not everyone is happy with Oracle’s approach of dumping a large number of security patches on IT administrators every quarter. Last year, Amichai Shulman, chief technology officer with Imperva, criticized Oracle for its quarterly timetable for patching vulnerabilities.
“Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. Oracle had a lot of momentum around fixing database vulnerabilities. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products”, he wrote in a blog.
Defending Oracle’s approach to security updates, Eric Maurice, Oracle’s software security assurance director, wrote that it “continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products.”