The update is scheduled to be released Tuesday, Jan. 15. Though the Redwood Shores, Calif.-based company did not reveal the precise nature of any of the vulnerabilities in its advisory, the most serious security hole belongs to Oracle Application Server, which has more than one vulnerability with a CVSS (Common Vulnerability Scoring System) score of 9.3 out of a possible 10 for clients, according to company spokesperson Rebecca Hahn.
A total of six security fixes are aimed at Oracle Application Server, five of which are remotely exploitable without authentication. Two of the fixes for Oracle Application Server are applicable for client-only installations, company officials said in the advisory. The affected components include: Oracle BPEL Worklist Application, Oracle Forms, Oracle Internet Directory, Oracle JDeveloper and Oracle JInitiator.
The update also includes eight new fixes for the database. None of the vulnerabilities can be exploited without authentication, and affect the following Oracle Database components: Advanced Queuing, Core RDBMS, Oracle Agent, Oracle Spatial and XML DB, according to the company.
Seven patches address problems in the company's E-Business Suite, three of which can be exploited remotely without a username and password. The patches plug holes in the CRM Technical Foundation, Mobile Application Server, Oracle Application Object Library, Oracle Applications Framework, Oracle Applications Manager and the Oracle Applications Technology Stack components of Oracle E-Business Suite, the company states in the advisory.
Four others fix problems with Oracle PeopleSoft Enterprise products, and there is one patch apiece for the Oracle Agent component of Oracle Enterprise Manager and the Oracle Ultra Search component of Oracle Collaboration Suite.
The company's previous update, issued in October, included 51 security fixes affecting numerous products.