Oracle closes 36 security holes
Rather than 37 holes as announced, Oracle’s Critical Patch Update of today’s patchday only fixes 36 security vulnerabilities in the vendor’s products, including holes in Oracle’s database products that allowed remote access to the system. The most critical vulnerability only affects Windows products. The update for Oracle Database 220.127.116.11 will not be available before end of April.
Other vulnerabilities to be fixed by the patches include bugs in Oracle’s Application Server, E-Business Suite, Enterprise Manager, Peoplesoft Enterprise and other products that allow hackers to spy out or manipulate content. According to database security specialist Alexander Kornbrust, Oracle has known about the oldest of these holes (AS01) since 2003. It has been base scored at 4.2 out of 10 under the Common Vulnerability Scoring System (CVSS).
From the risk matrix in Oracle’s CPU overview users can determine the nature of the problems represented by the individual holes. In addition, Oracle has documented the parameters that contribute to the base vulnerability scoring (CVSS) for the individual vulnerabilities.
- Oracle Critical Patch Update - April 2007, overview provided by Oracle