Ready, Set, Patch Your Oracle Software

On Tuesday, Oracle is set to release a bevy of patches for Oracle Database and a handful of other Oracle software.The patch update is part of Oracle's quarterly patch cycle, and the affected products go beyond its database and include its Oracle TimesTen In-Memory Database, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne, as well as Oracle BEA Products.

First, the good news: None of the 11 patches slated for Oracle databases fix vulnerabilities that are remotely exploitable. That is, attackers must be logged in to conduct an attack. Now the not-so-good news: Nine fixes for Oracle Application Server can be exploited by hackers who are not logged in. The same is true for a number of the updates on deck for Oracle WebLogic Server.

Oracle's Critical Patch Update (CPU) Pre-Release Announcement is available here. The Oracle quarterly patch cycle started about four years ago, as a way for Oracle to help lower the cost and aggravation associated with applying software patches.

While many of these vulnerabilities have been rated as critical, it's not likely that most organizations will rush to patch. Early this year database security vendor Sentrigo asked a few hundred Oracle database professionals if they have ever installed an Oracle CPU and 67.5% said they had never applied an Oracle CPU.