Oracle released fixes for a total of 41 bugs in its April Critical Patch Update, including a serious vulnerability affecting Oracle Application Server.
The CPU, Oracle's second of the year, includes 17 fixes for Oracle Database products, 11 for the Oracle E-Business Suite, six for the Oracle Siebel Enterprise Suite, three for Oracle Application Server, three for the PeopleSoft-JD Edwards Suite and one for Oracle Enterprise Manager.
The most serious of the vulnerabilities affects Oracle Application Server, specifically Oracle Jinitiator, and has a CVSS (Common Vulnerability Scoring System) rating of 9.3. Jinitiator allows a Web-enabled Oracle Forms client application to run within a browser. According to the company's advisory, the vulnerability applies only to the client portion of Application Server.
"The impact of this vulnerability is limited to Jinitiator; there is no Oracle Application Server impact," company officials stated in the advisory. "Oracle Jinitiator Versions 220.127.116.11 and later are not affected."
All three of the vulnerabilities affecting Application Server can be exploited remotely without authentication. Seven of the 11 vulnerabilities affecting Oracle E-Business Suite can be exploited remotely without a user name or password.
January's CPU featured 26 security fixes for Oracle products. The next CPU is slated to be released July 15.