14 DAY TRIAL // Oracle's Critical Patch Update (CPU) is a conglomerate of updates that address multiple security flaws, including additional non-security fixes meant to secure interdependencies with the security patches. Oracle has issued a total of 65 security updates, the release being part of the company's quarterly patch cycle. With no less than 27 flaws that could be remotely exploited by an attacker, Oracle strongly advised its customers to install the updates as it offers no alternative fixes.
"We fix flaws in severity order. The fixes you see in the Critical Patch Update are the most critical," said Darius Wiles, senior manager for security alerts at Oracle. "We strongly recommend to customers that they apply these security patches as soon as they can."
The update package provides the most numerous fixes for Oracle's Database products with 23 related flaws. 10 remedies address vulnerabilities in Application Server and 20 in E-Business Suite and Applications. Four security holes in Enterprise Manager and two in PeopleSoft's Enterprise portal will be plugged, while singular vulnerabilities will be patches in both the Collaboration Suite and JD Edwards software.
"There are four new database vulnerabilities addressed by this Critical Patch Update that affect Oracle Database Client-only installations (installations that do not have the Oracle Database installed). For three of these vulnerabilities, an untrusted, malicious server can cause the client to terminate if the client connects to the rogue server. The fourth vulnerability allows an untrusted, malicious server to cause the client to terminate, and additionally may allow the execution of arbitrary code on the client. A client may be exposed to these four vulnerabilities either by connecting directly to the malicious server, or through a database link. Client-side software in the middle tier is patched as part of the general middle tier patch and customers do not need to apply additional patches. If this is not the case it will be documented in the appropriate supplementary documentation," stated Oracle.