Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Security Infrastructure

Oracle Brings 57 Security Fixes in October Patch Update, Industry Criticism Continues

On Tuesday, Oracle released its Critical Patch Update for October 2011 which brought a total of 57 security vulnerability fixes across multiple Oracle products.

On Tuesday, Oracle released its Critical Patch Update for October 2011 which brought a total of 57 security vulnerability fixes across multiple Oracle products.

Despite bringing an average number of fixes, many industry experts voiced concern over the number of fixes specific to Oracle’s database server. In the October 2011 CPU, just five fixes were specific to the Oracle database server. Historically, the database giant has been criticized over its security response efforts and this month is no different.

Oracle Logo“This CPU is one of the weakest releases of Database Server patches we’ve seen since the process started in 2005,” said Alex Rothacker, Director of Security, at Application Security, Inc. “The record low number of database patches continues an alarming trend of Oracle seemingly losing focus on database security improvements.”

Experts also voiced their concerns over the rankings Oracle assigned to some of the vulnerabilities being addressed in the update.

“With the highest vulnerability being only 6.5 on the CVSS scoring system, Oracle seems to be downplaying a few vulnerabilities that can be easily exploited,” said Amichai Shulman, CTO at Imperva. “This one should probably be higher because the effect is practically a full takeover of the database server and it’s easy to exploit,” he explained. “Another database vulnerability (CVE-2011-3512) gets a 5.5 but should be higher as well. It’s probably a SQL injection vulnerability which is relatively easy to exploit and could lead to a catastrophic dump of the database’s contents.”

Kurt Baumgartner, Senior Security Researcher at Kaspersky Lab, pointed to an important Java update, a fix for the “BEAST” exploit, that came as part of this week’s fixes. “Most interesting, but perhaps with little impact, is the Java SE BEAST update,” he noted. BEAST – Browser Exploit Against SSL/TLS is a tool developed by security researchers Juliano Rizzo and Thai Duong that enables attackers to decrypt HTTP cookies. “The exploit almost turned into more of a disaster when Mozilla considered blocking all Java add-on use from their browsers: ‘We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.’ So, it is somewhat surprising that Oracle rated this fix low within their risk matrix with a ‘Base Score’ of 4.3,” Baumgartner explained.

Earlier this month, Oracle announced enhancements to its Oracle Enterprise Manager 12c product, adding new security features including the ability for organizations to monitor and configure database access, encrypt data, mask data and provide privileged user controls, as well as several other security and IT compliance related functions. Despite these recent offerings, the industry still believes Oracle needs to be more responsive and put more resources into operations surrounding security and vulnerabilities.

As always, system and database administrators should review the updates and apply updates accordingly to reduce security risks. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” Oracle noted in the CPU update advisory.

Advertisement. Scroll to continue reading.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).