In Oracle’s last Critical Patch Update, the company released 38 fixes for 21 affected products, most notably some repair work for Oracle 11g, Oracle Application Server and Oracle WebLogic Server. This batch marked the first time that three fixes for Oracle’s core database had the highest vulnerability rating.
What can we expect this time around?
Oracle’s latest Critical Patch Update, to be released Jan. 12, contains only 24 new fixes, according to Oracle’s pre-release announcement. Affected products include the Oracle Database, Primavera, Oracle Application Server, Oracle E-Business Suite and Oracle WebLogic Server.
These vulnerabilities are rated on the CVSS 2.0 scoring system, with metrics that include ease of exploit and impact of a successful attack. Vulnerabilities are scored from 0.0 to 10.0, with 10.0 representing the most severe vulnerability.
Three products in this Patch Update contain vulnerabilities with a 10.0 score including Oracle Database Server and Oracle Secure Backup, both part of Oracle Database products, and the Oracle JRockit in the Oracle BEA Products Suite.
At this time last year, Oracle had 41 security fixes, and we asked the question: Are Oracle’s Critical Patch Updates really that critical?
We received a variety of responses. Some of you didn’t install them because you thought they were “just patches for pretend problems, invented by some security ‘expert’,” while others felt the patches were indeed critical, and fairly easy to apply.
Have your views on Oracle patches changed in the last year? Do you install them? If not, why not?