Oracle patch day addresses 88 vulnerabilities
Oracle has released 88 security patches as part of its scheduled April Critical Patch Update (CPU), ten more than on its last patch day in January. One of the patches affects a series of vulnerabilities in the Java JRockit VM with a CVSS Base Score of 10.0 – this is the highest possible level of vulnerability in the Common Vulnerability Scoring System. Oracle also closed holes with a CVSS score of 9.0 in Grid Engine and the Windows version of the database component Spatial (in non-Windows versions the vulnerability score of this flaw is 6.5). All other vulnerabilities have scores of 7.5 or lower.
Of the 88 released updates, 6 patch holes directly in Oracle's Database Server and 6 others might affect it indirectly via Enterprise Manager Grid Control. Of the Grid Control vulnerabilities, 4 can be exploited remotely without authentication. The Oracle Fusion middleware software received 11 advisories, some of which affect Java and therefore also JRockit. Additionally, 17 patches have been released for Oracle FLEXCUBE, 11 affect PeopleSoft Enterprise and 6 relate to MySQL. Oracle has released several patches for Solaris as well.
Details about the patched vulnerabilities are still sparse as the company is trying to prevent attackers from reverse engineering the fixes before its customers have had a chance to deploy them. In an earlier out-of-band update to MySQL, this strategy failed when Oracle accidentally released a proof of concept for exploiting a vulnerability along with a security patch.
Executive Summaries of the vulnerabilities can be found in the security advisory and the company recommends that users install the patches as soon as they become available because of "the threat posed by a successful attack". According to Oracle's Critical Patch Updates and Security Alerts page, the next round of updates on 12 June 2012 will patch security holes in the Java Runtime Environment as part of its Java SE Critical Patch Updates.
- Oracle Critical Patch Update Advisory - April 2012, security advisory from Oracle.