by Imperva CTO Amichai Shulman
Today, Oracle released their critical patch update (CPU). The release contains fixes for 57 vulnerabilities, which is about average compared to the past. It is also worth noting that this set of patches follows a different framework. In the past, JRockit, originally an Oracle product was incorporated into the standard CPU cycle. This time, it is part of the separate Java SE CPU cycle. Also, Oracle has added a proprietary version of Linux to the standard CPU cycle.
As usual Oracle's use of CVSS scoring system takes the scoring of most vulnerabilities down. In the database product for example, some vulnerabilities are probably downplayed. For example, the highest vulnerability is 6.5 out of 10 (CVE-2011-3525). But this one should probably be higher because:
- The effect is practically a full takeover of the database server.
- It’s easy to exploit.
Another database vulnerability gets a 5.5 (CVE-2011-3512) but should be higher as well. It’s probably a SQL injection vulnerability which is relatively easy to exploit and could lead to a catastrophic dump of the database's contents.