Updated July 19 to include information on the product versions affected by the delayed patches.
Oracle Corp. fixed 65 security holes Tuesday in its latest quarterly Critical Patch Update (CPU). The flaws affect a variety of products, including the vendor's database and application server software.
According to Symantec's DeepSight Threat Management Service, attackers can exploit some of the vulnerabilities to completely compromise a vulnerable server; and others to partially affect the availability, confidentiality or integrity of the computer. Both remote and local attacks are possible, Symantec said.
The latest pile of vulnerabilities is larger than the 36 flaws addressed in Oracle's April CPU, but fewer than the 82 flaws fixed in January.
Some security experts criticized the Redwood Shores, Calif.-based database giant for delaying patches for certain platforms in the April CPU. Darius Wiles, Oracle's senior manager of security alerts, acknowledged Tuesday that some patches were being held back this time as well.
"About 10 patches won't be available today because of quality issues," Wiles said. "Most of those will be out in the next few days, though some might take a bit longer." Product versions affected by these delays are Oracle Application Server 188.8.131.52 on HP Tru64 and Oracle Application Server 10.1.2.0.2 on Linux and Microsoft Windows (32-bit).
However, 10 isn't a lot, Wiles added, when one considers that the July CPU includes a total of 250 patches -- one patch for each specific product version and platform that's affected by the 65 flaws. He added, "We want to get all patches out by noon PT" the day of a CPU release, "but if we run across any problems, we will hold some back."
Of the 65 flaws addressed in the July CPU:
- One is the vulnerability Oracle accidentally detailed on its MetaLink customer support site in April.
- Four apply to Oracle's database clients and 23 apply to its server software. Customers should be particularly cognizant of the four client-side issues, Wiles said, because they tend to be tougher to patch than issues on the server side. Generally speaking, customers should be most concerned about flaws that can be exploited remotely without requiring any credentials, he added. There are 10 such flaws addressed in the database this time around.
- Ten affect the Application Server product line and nine of those are of the most critical nature.
- One affects the Collaboration Suite product line and is among the more minor issues addressed.
- Twenty affect the E-Business Suite and five of them are of the most critical nature.
- Four affect Enterprise Manager and two of them are of the most critical nature.
Two affect PeopleSoft and one affects JD Edwards. The JD Edwards flaw is of the most critical nature.
Wiles also noted a formatting change made to this month's patch bulletin in response to customer feedback. Instead of separate MetaLink documents for the Database, Enterprise Manager, Applications Server and Collaboration Suite, information on the four product lines has been boiled down into one document. That way, he said, customers don't have to read as much text to find what they're looking for.
Oracle has been criticized in the past for providing security bulletins that are very hard to digest. The database giant has also taken heat in the past for sitting on older flaws, not always fixing vulnerabilities as advertised in the CPUs and not including enough information on the specific flaws.
In a recent interview, Wiles and John Heimann, Oracle's director of security program management, admitted that a vast array of platforms and mountains of source code can make for some patching mistakes, but they don't necessarily agree with some of the flaw findings independent researchers release to the public.
This article originally appeared on SearchSecurity.com.