Oracle to release 46 updates [Update]

Today, Oracle administrators will have quite some work to do. The database specialist has announced 46 security updates to be released in their July Critical Patch Update (CPU). Some of these vulnerabilities can be exploited by remote attackers to gain access to affected systems without proper authentication.

The Critical Patch Update contains 20 fixes for Oracle databases, including one update for Application Express. Two of the fixed vulnerabilities can be exploited by remote attackers without proper authentication. Four updates are provided for Application Server, including three for flaws that are remotely exploitable. One patch fixes a hole in the instant messaging component of Oracle’s Collaboration Suite. 14 updates are provided for the E-Business Suite, including six to fix critical security holes. Oracle’s PeopleSoft Enterprise products are updated with seven patches.

As always, Oracle provides a vulnerability ranking, based on the CVSS scoring system. The database vulnerability with the highest severity receives a base score of 4.2. Although the holes in Application Server can be exploited for remote attacks, the CVSS base score is only 2.3. Background information on the CVSS scheme and on how to use it for evaluating the severity of vulnerabilities can be found in the article Magic Numbers or Snake Oil? – The Common Vulnerability Scoring System on heise Security/UK.

Update:

The patches are available now. Oracle didn't release one of the 20 announced updates for the database, thus only 45 patches were released in total.

See also:

• Details Oracle Critical Patch Update July 2007, Summary from Oracle
• Oracle Critical Patch Update Pre-Release Announcement - July 2007, overview by Oracle
• Magic Numbers or Snake Oil?, article on the common vulnerability scoring system on heise Security/UK

(mba)