Oracle Adopts Stricter Vulnerability Scoring System, Leading to Release of Huge Security Patch Update

April 29, 2016 7:06 pm Published by Leave your thoughts

System administrators have a busy time ahead of them after popular software company Oracle released a rather large security update containing 136 patches that will update flaws in most of its product range.  The huge size of the company’s latest security update is a result of Oracle adopting a stricter scoring system for vulnerabilities throughout its packages.

Although Oracle does have a history of sending out large updates, this time round the 136 vulnerabilities were found after Oracle began using the Common Vulnerability Scoring System (CVSS) version 3.0. The newer version provides improved accuracy when assessing the potential damage that can be caused by flaws as well as scoring them more precisely than CVSS 2.0.  In a statement announcing the patch update, Oracle recommended users apply the fix as soon as possible.

New Scoring System flags up Serious Vulnerabilities 

Chief among the security vulnerabilities that Oracle found using CVSS 3.0 was a serious issue that could be exploited by remote attackers who could then control the affected system.  A few of these flaws were rated at the maximum level of vulnerability. Despite not showing up when tested using CVSS 3.O, up to five vulnerabilities had been rated at 10 by the older scoring system. The disparity is remedied by the fact that the CVSS 3.0 system scored 17 flaws as critical compared to 9 flagged up by its predecessor.

At the same time, vulnerabilities with scores that are rated as high severity were numbered at 25 by the new test compared to only 12 found by CVSS 2.0.

The 136 fixes contained in the Critical Patch Update cover a whole host of Oracle’s product range. The following products all had issues addressed in the update:

  • Oracle Database Server
  • Oracle E-Business Suite
  • Oracle Fusion Middleware
  • Oracle Sun Products
  • Oracle Java SE
  • Oracle MySQL

The biggest number of security patches was reserved for Oracle MySQL, which had 31 vulnerabilities fixed.  Other products that featured high on the vulnerability count included Oracle Fusion Middleware with 22 patches, the company’s Sun System suite had 18, while Oracle PeopleSoft and Oracle Java SE had 15 and 9 each respectively.

Those wishing to see the full description of all the flaws can find the list here.

Oracle’s Renewed Security focus

As technology has advanced more sophisticated software programs have been created to the great benefit of both commercial and individual users. However, more sophisticated software also gives rise to a rise in the probability of vulnerabilities occurring. Compounding that is the fact that this sophistication also applies to the abilities of those who may wish to exploit any such flaws.

Oracle’s regular security patch updates and its adoption of a stricter testing method are evident results of the company’s focus on tightening security across the whole of its product range. The company recently released an emergency security patch after a flaw in Java was found which also allowed for remote manipulation of the software.

Other major security vulnerabilities have also popped up from time to time in Oracle products but they have always responded swiftly and robustly to remedy any issues. Oracle’s renewed push to improve security across its entire range was boosted by the addition of Leon Panetta, whose previous jobs include being US Secretary of Defence and the former director of the Central Intelligence Agency (CIA), to its board of directors.

So although system admins may have a lot to catch up on following Oracle’s latest security patch update, at least they can bear the task in the knowledge that Oracle takes their product security very seriously!

Leave a Reply

Your email address will not be published. Required fields are marked *