Oracle repaired two flaws in its database management system as part of its quarterly update this week that included 78 patches across its product portfolio.
One of the Oracle Database Server vulnerabilities is remotely exploitable, according to the Oracle January 2012 Critical Patch Update Advisory. The updates affect Oracle Database 10g and 11g release 1 and 2. The flaws are located in the listener and the core of the DBMS, Oracle said.
Application Security Inc.’s research arm, TeamSHATTER, which says it has discovered and disclosed multiple vulnerabilities to Oracle that are currently in Oracle's update queue, called Oracle’s latest round of updates a record low for database fixes.
Oracle started the CPU program in January 2005. The previous record low was set in the last CPU in October with just five fixes to Oracle’s database management systems. Prior to that, there were three different CPUs that had just six fixes, according to Application Security.
Oracle did release a massive update to its MySQL open source database management system. The CPU contained updates repairing 27 fixes for Oracle MySQL. One of the errors is remotely exploitable without authentication, Oracle said.
Among the most critical updates is Oracle Solaris, which fixes eight vulnerabilities including a serious vulnerability with a common vulnerability scoring system (CVSS) score of 7.8. The update also includes three fixes in the Glassfish application server.
Redwood Shores, Calif.-based vulnerability management vendor Qualys Inc. said overall the Oracle update was large for software users. The company said fixes to Weblogic/Apache and Solaris, which are Internet accessible, should be a priority.
Other updates associated with the January 2012 quarterly CPU affected Oracle’s Fusion middleware, its PeopleSoft and JD Edwards software and its Sun Product Suite. Oracle also repaired three vulnerabilities in its E-Business Suite.
The updates included fixes for three flaws affecting Oracle Virtualization. The updates affected Oracle VirtualBox and Oracle’s Virtual Desktop Infrastructure. None of the vulnerabilities are remotely exploitable.