Oracle issues hefty security fix

As part of its quarterly patch cycle, Oracle on Tuesday released fixes for a long list of security vulnerabilities in many of its products.

The Critical Patch Update delivers remedies for 14 flaws related to Oracle's Database products; five related to the Collaboration Suite; one in Application Server; 15 related to E-Business Suite and Applications; two in the Enterprise Manager; one in PeopleSoft's Enterprise portal; and one in JD Edwards software.

In addition to the security fixes, Oracle said it has made "significant" changes to an existing tool that checks for default accounts and passwords. The tool was released in January as a response to the "Oracle voyager" database worm, which exploits those default items.

Security provider Symantec said in an alert to users of its DeepSight intelligence service: "Several of these vulnerabilities are significant, and should be patched as soon as possible. No workarounds for these issues have been published by Oracle."

The number of fixes is lower this quarter than in preceding quarters, according to a UK-based security specialist, Pete Finnigan, who wrote about the patches on his blog. While Oracle provides scant details about the problems, Finnigan notes most of the database bugs appear to relate to the naming of the broken packages.

Finnigan also noted that while Oracle released its bulletin, it won't have fixes available for all its products on all operating systems until 1 May. "I think it is bad form that Oracle release an advisory telling customers to patch their databases but for many customers they will have to wait," he wrote. "It is not really a quarterly patch schedule if the patches are not available quarterly."

The business software maker has come under fire for being slow to patch security holes and for not collaborating well with researchers who find bugs. Oracle's chief security officer, Mary Ann Davidson, has responded in turn by saying bug hunters themselves can be a problem when it comes to product security.

In its patch bulletin, the company credited a number of researchers with reporting vulnerabilities. These include Alexander Kornbrust of Red Database Security, Esteban Martinez Fayo of Application Security and David Litchfield of Next Generation Security Software, who claimed discovery of Oracle Database flaws in a posting to the Full Disclosure mailing list.

Joris Evers writes for CNET News.com