Oracle Rings in the New Year With 27 Patches
Updated: Oracle's first critical patch update of the new year features 27 security fixes- including severe vulnerabilities in Oracle Application Server.
The update is scheduled to be released Tuesday, Jan. 15. Though the Redwood Shores, Calif.-based company did not reveal the precise nature of any of the vulnerabilities in its advisory, the most serious security hole belongs to Oracle Application Server, which has more than one vulnerability with a CVSS (Common Vulnerability Scoring System) score of 9.3 out of a possible 10 for clients, according to company spokesperson Rebecca Hahn. A total of six security fixes are aimed at Oracle Application Server, five of which are remotely exploitable without authentication. Two of the fixes for Oracle Application Server are applicable for client-only installations, company officials said in the advisory. The affected components include: Oracle BPEL Worklist Application, Oracle Forms, Oracle Internet Directory, Oracle JDeveloper and Oracle JInitiator.
The update also includes eight new fixes for the database. None of the vulnerabilities can be exploited without authentication, and affect the following Oracle Database components: Advanced Queuing, Core RDBMS, Oracle Agent, Oracle Spatial and XML DB, according to the company.