In its quarterly round of Critical Patch Updates on Tuesday, Oracle is expected to release security fixes for 27 vulnerabilities that it said affect “hundreds” of its products.
The fixes – at least one addresses a flaw with a dangerous 9.3 out of 10 severity ranking – cover multiple versions of the company’s flagship Oracle database application as well as its Oracle Application Server, Collaboration Suite, E-Business Suite, Enterprise Grid Control software, and two PeopleSoft modules. The company’s pre-release announcement noted that “some of the vulnerabilities addressed in this critical patch update affect multiple products.”
The lion’s share of the most severe vulnerabilities impact Oracle’s Application Server. Five of the six bugs can be remotely exploited over a network without requiring a username and password; two of the vulnerabilities impact client-only installations.
The Oracle Application Server components to be fixed in Tuesday’s round of updates are the Oracle BPEL Worklist Application, Oracle Forms, the Oracle Internet Directory, the Oracle JDeveloper and the Oracle JInitiator.
The eight security fixes for the Oracle Database impact the product’s advanced queuing, core RDBMS (relational database management system), Oracle Agent and Spatial, and the XML DB. None of these vulnerabilities can be exploited remotely, according to Oracle.
Oracle is patching seven vulnerabilities in its E-Business Suite; three of them can be exploited remotely. Because this product uses functionality of the Oracle Database and Oracle Application Server, it also is impacted by the vulnerabilities of those products as well.
Oracle also is patching single vulnerabilities in its Enterprise Manager and Collaboration Suite. While the Enterprise Manager bug can be exploited remotely, the Collaboration suite requires local intervention.
Finally, Tuesday’s round of patches contains four new security fixes for Oracle PeopleSoft Enterprise products, only one of which can be exploited remotely.
Oracle said this round contains no new security fixes impacting the products it acquired when it purchased JD Edwards.
Unlike Microsoft, which relies on a proprietary vulnerability scoring system, Oracle uses standardized metrics for determining the severity level of its security bugs. This standard, called the Common Vulnerability Scoring System (CVSS), was developed by the Forum of Incident Response and Security Teams (FIRST). It provides an open method for communicating the characteristics and impacts of IT vulnerabilities.
According to Oracle, the highest CVSS base score of vulnerabilities across all products in Tuesday’s upcoming patch cycle is 6.8 for application servers and 9.3 for application server clients (with 10 being the most severe score). The 9.3 rating is among the highest in some time for Oracle security updates.
On the database side, the most severe bug rates a 6.5.