Oracle’s latest critical patch update (CPU) went live today.
Overall, this is a fairly consistent release: 80 overall patches with 4 database vulnerabilities. Likewise, the same volume of MySQL vulnerabilities is consistent with previous releases. Some observations:
- The database vulnerabilities are about denial of service, probably around the Oracle Listener component which helps users communicate with the database remotely. Interestingly, for three of these database vulnerabilities all you need is network access, nothing more. This component has been around for 25 years—yet very serious issues persist. It emphasizes the complexity of software and the need for security outside of the code base as its written. This highlights why enterprises need a security solution on top of what comes with the database itself.
- Fourteen of the patches were from an acquired from a company called Stellant. This highlights the security issues with mergers and acquisitions—which were echoed with the Yahoo! Voices and Instagram-Facebook security issues.
- The biggest vulnerability? A JRocket issue that was fixed recently with other Java vulnerabilities.
This patch continues to show how big companies with a wide product line struggle to find the resources to keep all their products up to speed with security fixes and how complex software created by a series of mergers and acquisitions drives the need for external security that does not rely on the code itself.