Oracle updates close 78 holes
As expected, Oracle has released 78 security patches in its January Critical Patch Updates (CPU). The company says that these patch day updates address vulnerabilities in "hundreds of Oracle products". 16 of the vulnerabilities patched are remotely exploitable without authentication.
Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM and PeopleTools,. A vulnerability in Solaris 9, 10 and 11 Express's TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0.
The company, as usual in its Critical Patch Updates, advises users to install the patches as soon as they become available, because of "the threat posed by a successful attack". Executive Summaries of the vulnerabilities can be found in the security advisory.
According to Oracle's Critical Patch Updates and Security Alerts page, the next round of updates will patch security holes in the Java Runtime Environment on 14 February 2012 as part of its Java SE Critical Patch Updates.
- Oracle Critical Patch Update Advisory - January 2012, security advisory from Oracle.