It seems that these days all major players in the software industry are beginning to deliver patches on a quarterly patch cycle. Oracle is one such vendor that plans to release fixes for 37 flaws for its flagship products on roughly April 17.
Vendors such as Microsoft, Oracle, and IBM are releasing patches, updates, and service packs with more ferocity and complexity than ever before. I believe monthly and quarterly patch updates allow an IT staff to plan for patch rollout, as opposed to getting a new e-mail each day about and newly released patches, updates, and/or vulnerabilities.
Oracle’s move to a quarterly patch cycle will make life easier on its customer base. Rather than have its customer base react to exploits, patches, updates, etc., Oracle can now enable its client base to plan accordingly. Overall, the adoption of a quarterly patch cycle by many vendors (Microsoft, IBM, Oracle, etc.) is a move in the right direction to plan patch releases and give their client base notice on when these patches will become available. Oracle did this once before in January as a better way to prepare its base of clients for patches, vulnerabilities, and flaws.
There is a negative side to patching quarterly; it is that the company may possibly sit on security exploits for months and enable hackers to compromise a system via Denial of Service and SQL Injection attacks. I can only hope that we will still see some exploits, patches, and updates surface that have an emergency status and can’t wait until the quarterly patch cycle.
Oracle has been known in the past to have an issue with buffer overflow attacks, DoS, and remote exploitation. Many were lead to believe that Oracle was unbreakable, but we have all learned that this is untrue. Is any software unbreakable? Was the Titanic unsinkable?
According to Oracle, the critical patch updates are released midmonth on the following dates: July 17, 2007, October 16, 2007, January 15, 2008, and April 15, 2008. The updates will be issued to customers via Oracle’s support Web site on the dates above.
Included in the patch cycle are vulnerabilities that exist in some of the products that Oracle acquired. Examples include Oracle PeopleSoft Enterprise People Tools, PeopleSoft Enterprise Human Capital Management, and JD Edwards OneWorld Tools.
Additionally, there are 11 new security fixes for the Oracle E-Business Suite, two of which may be remotely exploited without authentication.
The update covers vulnerabilities in the following Oracle products
|• Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3||[ Database ]|
|• Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5||[ Database ]|
|• Oracle9i Database Release 2, versions 22.214.171.124, 126.96.36.199||[ Database ]|
|• Oracle Secure Enterprise Search 10g Release 1, version 10.1.6||[ Secure Enterprise Search (OTN) ]|
|• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0||[ Application Server ]|
|• Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 – 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0||[ Application Server ]|
|• Oracle Application Server 10g (9.0.4), version 188.8.131.52||[ Application Server ]|
|• Oracle10g Collaboration Suite Release 1, version 10.1.2||[ Collaboration Suite ]|
|• Oracle E-Business Suite Release 11i, versions 11.5.7 – 11.5.10 CU2||[ E-Business Suite ]|
|• Oracle E-Business Suite Release 12, version 12.0.0||[ E-Business Suite ]|
|• Oracle Enterprise Manager 9i Release 2, versions 184.108.40.206, 220.127.116.11||[ Enterprise Manager ]|
|• Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48||[ PeopleSoft/JDE ]|
|• Oracle PeopleSoft Enterprise Human Capital Management version 8.9||[ PeopleSoft/JDE ]|
|• JD Edwards EnterpriseOne Tools version 8.96||[ PeopleSoft/JDE ]|
|• JD Edwards OneWorld Tools SP23||[ PeopleSoft/JDE ]|