Oracle previews upcoming patch load

Oracle will release its quarterly security update Tuesday. Here’s a look at the advance notification.

Oracle Critical Patch Update Pre-Release Announcement – January 2012

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2012, which will be released on Tuesday, January 17, 2012. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 78 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle’s Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 7.8 for Solaris of Oracle Sun Products Suite.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3

Oracle Database 11g Release 1, version 11.1.0.7

Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

Oracle Database 10g Release 1, version 10.1.0.5

Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0

Oracle Application Server 10g Release 3, version 10.1.3.5.0

Oracle Outside In Technology, versions 8.3.5, 8.3.7

Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)

Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3

Oracle E-Business Suite Release 11i, version 11.5.10.2

Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2

Oracle PeopleSoft Enterprise CRM, version 8.9

Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1

Oracle PeopleSoft Enterprise PeopleTools, version 8.52

Oracle JDEdwards, version 8.98

Oracle Sun Product Suite

Oracle Sun Ray, version 5.3

Oracle VM VirtualBox, version 4.1

Oracle Virtual Desktop Infrastructure, version 3.2

Oracle MySQL Server, versions 5.0, 5.1, 5.5, 5.6

Executive Summaries

Oracle Database Server Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 5 vulnerabities have been collapsed. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 5.5

The Oracle Database Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Core RDBMS

Listener

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 11 new security fixes for Oracle Fusion Middleware. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 2 vulnerabities have been collapsed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Fusion Middleware is 6.4

The Oracle Fusion Middleware components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle Outside In Technology

Oracle Web Services Manager

Oracle WebCenter Content

Oracle WebLogic Server

Oracle E-Business Suite Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle E-Business Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle E-Business Suite is 4.3

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle Application Object Library

Oracle Forms

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Supply Chain Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle Supply Chain Products Suite is 5.0

The Oracle Supply Chain Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle Transportation Management

Oracle PeopleSoft Products Executive Summary

This Critical Patch Update contains 6 new security fixes for Oracle PeopleSoft Products. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle PeopleSoft Products is 4.0

The Oracle PeopleSoft Products components affected by vulnerabilities that are fixed in this Critical Patch Update are:

PeopleSoft Enterprise CRM

PeopleSoft Enterprise HCM

PeopleSoft Enterprise PeoleTools

Oracle JD Edwards Products Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle JD Edwards Products. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle JD Edwards Products is 5.0

The Oracle JD Edwards Products components affected by vulnerabilities that are fixed in this Critical Patch Update are:

JD Edwards EnterpriseOne Tools

Oracle Sun Products Suite Executive Summary

This Critical Patch Update contains 17 new security fixes for the Oracle Sun Products Suite. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle Sun Products Suite is 7.8

The Oracle Sun Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

GlassFish Enterprise Server

Oracle Communications Unified

Oracle OpenSSO

Solaris

Oracle Virtualization Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle Virtualization. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. 5 vulnerabities have been collapsed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Virtualization is 3.7

The Oracle Virtualization components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle VM VirtualBox

Virtual Desktop Infrastructure (VDI)

Oracle MySQL Executive Summary

This Critical Patch Update contains 27 new security fixes for Oracle MySQL. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS Base Score of vulnerabilities affecting Oracle MySQL is 5.5

The Oracle MySQL components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Good thing these updates aren’t monthly. That’s a lot to process. 😉

–Bill Brenner