Oracle closes 128 holes across its product range
With its quarterly Critical Patch Update (CPU), Oracle has closed 128 security holes across its whole range of products. Two of the vulnerabilities addressed by these patches are rated with the highest severity and a score of 10 according to the Common Vulnerability Scoring System (CVSS2). These two vulnerabilities affect the Workload Manager in Oracle's 11g Database Server (CVE-2013-1534) and the JRockit JVM in the company's Fusion Middleware (CVE-2013-2380). Because of the threat posed by the holes, Oracle recommends that customers apply the Critical Patch Update fixes as soon as possible.
Oracle's Database Server, both the 10g and 11g versions, is affected by four vulnerabilities in total; aside from the hole in Workload Manager with a score of 10, the other three vulnerabilities have a CVSS2 score of 5. All of these vulnerabilities are remotely exploitable without authorisation. Different components of the open source MySQL server received a total 25 patches, most of which are not remotely exploitable and range in severity from a base score of 6.8 down to 1.5. Oracle Fusion Middleware is affected by a total of 29 patches, ranging in severity from CVSS2 scores of 10 to as low as 1.5; 22 of these patches are remotely exploitable without authorisation. E-Business Suite has had 6 holes patched, the most severe one having a CVSS2 score of 5.
Oracle Supply Chain has received three patches, PeopleSoft Products is addressed by 11 patches, and Oracle Sun Middleware has had two holes fixed – all of these vulnerabilities have a severity score lower than 5. The company has also fixed 8 problems with its Siebel CRM suite, with severity ratings ranging between 6 and 3.5 and has shipped patches for Oracle Financial Services Software (18), Oracle Industry Applications (3), and its Primavera Products Suite (2), all of which have a CVSS2 rating of 5.5 or lower. Oracle and Sun Systems Products Suite is affected by a total of 16 patches ranging from score 6.4 to 1.7 and the Oracle Support Tools had a hole in their Automatic Service Request component plugged that was rated 6.9 on the CVSS2 scale.
Oracle's Critical Patch Update does not include Java patches as these were delivered separately earlier. Detailed information about the updates and how to receive them is available in Oracle's Critical Patch Update Advisory for April 2013.