As expected, Oracle Tuesday released 51 new security fixes for flaws across its database and application server products as well as its collaboration software and e-business suites.
Of these, 26 fixes addressed flaws in the company's database products, including 10 that the company said could be remotely exploited without the need for a username or a password. Oracle typically assigns its highest severity ratings to such flaws.
Tuesday's Critical Patch Update (CPU) from Oracle also contained 12 fixes for vulnerabilities in Oracle's Application Server software, eight of which were rated "critical" because they can be remotely exploited without any user authentication. Also included in the update were three patches for holes – including one that could be remotely exploited – in Oracle's PeopleSoft product.
The patches were released as part of Oracle's regularly scheduled quarterly security updates. The last one was in October, when the company released 101 fixes across its entire range of products.
Tuesday's update was preceded by a pre-release bulletin last week detailing the affected products, the number of vulnerabilities fixed, a severity rating score and other information designed to give administrators more time to plan their patching activities.
It's the first time Oracle released such advance information on its patches and is part of a continuing effort by the company to make its security updates easier to understand and to deploy.
"Customers have asked for a CPU summary in the past, so this will be favourably accepted," said Rich Niemiec, a former president of the International Oracle Users Group and the CEO of The Ultimate Software Consultants, a US-based consultancy firm.
For the first time in October Oracle started providing new documentation with its critical patch updates, giving detailed vulnerability information and an executive summary of the flaws being fixed.
The company also started assigning severity ratings to each its flaws using an emerging vulnerability scoring system called the Common Vulnerability Scoring System (CVSS). Both moves were in response to longstanding user complaints about the relative lack of information surrounding the company's bug fixes and the flaws they addressed.
The CVSS rating system is one of the "most helpful resources" that customers can use to help rate both the severity of the patch and the applicability to their system, Niemiec said.
"Many customers have a large number of systems to address and this rating system is paramount to accessing potential risk as well as ranking which systems are most vulnerable and applying the patch to those systems first," he said.