News Stay informed about the latest enterprise technology news and product updates.

Oracle bulletins will rank patches, offer more detail

Oracle has been criticized in the past for releasing complex security bulletins that are hard to decipher. The streamlined bulletins will be easier to digest, the company says.

Oracle Corp. has taken plenty of flak for releasing security bulletins that are hopelessly difficult to decipher. In response, the database giant will unveil a new, easier-to-digest bulletin when it releases its quarterly critical patch update (CPU) Tuesday.

The Redwood Shores, Calif.-based vendor outlined the upcoming changes in its Oracle Global Product Security blog Wednesday. Among the changes, Oracle will:

  • Adopt the Common Vulnerability Scoring System (CVSS) to rate the severity of the flaws each patch addresses;
  • Specifically identify critical flaws that may be remotely exploitable without requiring authentication to the targeted system; and
  • Provide an executive summary of the security vulnerabilities addressed in the CPU.

Oracle said the changes are the result of feedback it received from "many" customers.

"The template of the new documentation received positive feedback, and we hope that these changes will help our customers assess the criticality of the vulnerabilities resolved with each CPU and help them obtain patching decisions from their senior management more quickly," the company said. "Ultimately, we feel these changes should result in further strengthening the security posture of our clients by providing a standard approach to vulnerability scoring and a means for better internal communication."

Timeline: Oracle security
May 8: Oracle refuses to learn its lesson, experts say

April 19: Oracle fixes 36 more flaws

April 11: Oracle accidentally exposes flaw, exploit

In an interview with in June, John Heimann, Oracle's director of security program management, and Darius Wiles, senior manager of security alerts, acknowledged that its patching process can be difficult to follow.

The company has been criticized in the past not only for the complexity of its patch bulletins, but also for inconsistencies in the patches themselves. Its quarterly patch releases are typically followed by reports from security researchers of flaws not being fixed as advertised. The vendor has also been accused of sitting on vulnerabilities that are more than a year old.

Wiles and Heimann acknowledged that a vast array of platforms and mountains of source code can make for some patching mistakes and for complicated bulletins.

Dig Deeper on Database Security Management-Enterprise Data Protection

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.