14 DAY TRIAL // Oracle's eighth Critical Patch Update (CPUOct2006) addresses a total of 101 vulnerabilities. Unlike Microsoft, Oracle issues its patches on a quarterly and not on a monthly basis. As it is traditional for Oracle, the critical patch updates are cumulative. Oracle E-Business Suite makes the only exception to this rule. Oracle Database Server, Oracle Application Server, Oracle Application Express (formerly known as oracle HTML DB), Oracle Collaboration Suite, Oracle E-Business Suite, Oracle's PeopleSoft Enterprise, and Oracle's JD Edwards EnterpriseOne applications are all impacted by the CPUOct2006.
"More than one third of the vulnerabilities patched in this CPU are in an optional product (35 vulnerabilities for Oracle Application Express) and do not affect most customers. It is also worth noting that twenty-two of the vulnerabilities addressed in this CPU affect Oracle Database, but none of these vulnerabilities impact Oracle Database Client," stated Eric Maurice, Manager for Security in Oracle's Global Technology Business Unit.
"In terms of critical fixes, the majority of them lie within the application server product," said Darius Wiles, the senior manager for security alerts at Oracle. "There is a number that could be exploited both remotely and without authentication, and those are the ones that customers should be most concerned about and fix as soon as possible."
Oracle's database products account for no less than 63 vulnerabilities. CPUOct2006 also addressed 14 vulnerabilities in Application Server, 13 in E-Business Suite, 8 in PeopleSoft products, one in Oracle Pharmaceuticals and also a single one in JD Edwards software.
"With this release, we also introduced significant enhancements to the CPU documentation. These enhancements include the adoption of the Common Vulnerability Scoring System (CVSS), the identification of vulnerabilities that may be exploited remotely without authentication to the targeted system, and the introduction of an executive summary," added Maurice.