Oracle posts quarterly patch bundle

Oracle has posted its latest quarterly Critical Patch Update covering over 30 vulnerabilities, including a much publicised problem that was the cause of a dispute early this year.

Some experts, most notably David Litchfield of NGS Software, a UK-based security specialist, have accused the database giant of tardiness in patching critical flaws.

In January, Litchfield described a “very, very serious” issue with the PL/SQL Gateway, which he said would allow an attacker complete control of a back-end database server. At the time, Oracle reportedly criticised Litchfield for disclosing the problem publicly, played down the seriousness of the issue and said NGS’s workaround could harm other Oracle software.

Despite the spat, Litchfield is credited by Oracle in the update as one of those who “discovered and brought security vulnerabilities … to Oracle’s attention”. He was not immediately available for comment.

Some experts noted that some of the patches in the update would not be available on all platforms until the end of the month. The next Critical Path Update is due on 18 July.

In a recent report, Forrester Research analyst Noel Yuhanna suggested that database security was often overlooked in favour of perimeter security.

“DBMS [database management system] security is not about software or hardware; it’s about establishing solid security policies and procedures and ensuring that they are supported by the DBMS security infrastructure and are well integrated with other elements of IT security,” Yuhanna wrote.