Web and database security company CTO Amichai Shulman has suggested that Oracle may be losing momentum when it comes to fixing and patching database vulnerabilities when they become highlighted. Suggesting that in the past when Oracle had far fewer products, the company would patch 100 database vulnerabilities at a time.

"Oracle patching needs fixing. In the past, Oracle provided a solid process of receiving reports, validating and scheduling fixes. However, the quarterly patch cycle has seen a slow down in fixing database vulnerabilities since the acquisition and incorporation of so many companies and products during the past year," said Shulman.

Shulman has reviewed the Oracle Critical Patch Update, which was released this week and provides his analyzes on it: “Additionally troubling is the fact that Oracle gives no clear indication of what the vulnerabilities involve, citing concerns that hackers would transform these vulnerabilities into exploits. Unfortunately, hackers will already reverse-engineer this patch to determine these vulnerabilities, leaving Oracle customers as the only party without insight into what is happening."

If there is any truth in the severity of the so-termed "vulnerabilities" that Shulman has attempted to highlight, then Oracle customers may be left with a problem developing a workaround for their production applications. As for the patch released this week, Shulman says that there are four vulnerabilities rated 10 for severity.

"Within the database products, only six vulnerabilities are fixed. Two are remotely exploitable without authentication, yet the highest severity is only 7.5. It is also interesting to note only two vulnerabilities were fixed in the EBS suite. PeopleSoft and JDEdwards have 12 fixes. The primary exploit across the patch seems to be SQL injection in various modules. Exploits may emerge over the next few days, but we’ll have to wait and see. Unfortunately, it will likely take much longer for companies to test and implement this patch into their production environment," said Shulman.

Oracle meanwhile asserts that this patch is part of longstanding series of solid updates, claiming "With this Critical Patch Update (CPU), Oracle's primary security vulnerability remediation program enters its seventh year (the first Critical Patch Update was released in January 2005). The program continues to provide customers with a consistent mechanism for the distribution of security fixes across all Oracle products. CPUs are issued on a predictable schedule published a year in advance."

According to Oracle's official Critical Patch Update blog, the company recently published a technical white paper titled "Recommendations for Leveraging the Critical Patch Update and Maintaining a Proper Security Posture" in an attempt to document the practices of a number of organizations, which had adopted repeatable processes to deal with the Critical Patch Updates. This white paper is designed to act as a starting point for administrators who may be new to the Critical Patch Update or feel overwhelmed with the prospect of patching their systems.