The update is scheduled to be released Tuesday, Jan. 15. Though the
Redwood Shores, Calif.-based company did not reveal the precise nature
of any of the vulnerabilities in its advisory, the most serious
security hole belongs to Oracle Application Server, which has more than
one vulnerability with a CVSS (Common Vulnerability Scoring System)
score of 9.3 out of a possible 10 for clients, according to company
spokesperson Rebecca Hahn.
A total of six security fixes are aimed at Oracle Application
Server, five of which are remotely exploitable without authentication.
Two of the fixes for Oracle Application Server are applicable for
client-only installations, company officials said in the advisory. The
affected components include: Oracle BPEL Worklist Application, Oracle
Forms, Oracle Internet Directory, Oracle JDeveloper and Oracle
JInitiator.
The update also includes eight new fixes for the database. None of
the vulnerabilities can be exploited without authentication, and affect
the following Oracle Database components: Advanced Queuing, Core RDBMS,
Oracle Agent, Oracle Spatial and XML DB, according to the company.
Seven patches address problems in the company’s E-Business Suite,
three of which can be exploited remotely without a username and
password. The patches plug holes in the CRM Technical Foundation,
Mobile Application Server, Oracle Application Object Library, Oracle
Applications Framework, Oracle Applications Manager and the Oracle
Applications Technology Stack components of Oracle E-Business Suite,
the company states in the advisory.
Four others fix problems with Oracle PeopleSoft Enterprise products,
and there is one patch apiece for the Oracle Agent component of Oracle
Enterprise Manager and the Oracle Ultra Search component of Oracle
Collaboration Suite.
The company’s previous update, issued in October, included 51 security fixes affecting numerous products.
