Security Experts:

Oracle To Issue 88 Security Fixes in July 2012 Critical Patch Update

Database giant Oracle on Thursday issued its pre-release announcement for its July 2012 Critical Patch Update, saying it would issue 88 new security vulnerability fixes across hundreds of Oracle products.

As part of the update, Oracle will issue 4 new security fixes for vulnerabilities in the company’s flagship Oracle Database Server, 3 of which may be remotely exploitable without authentication.

Oracle LogoCommenting on the once-again low number of security fixes focused on the Oracle Database, Alex Rothacker, Director of Security Research at Application Security, Inc. told SecurityWeek, “This is really disappointing to me and continues the trend of Oracle loosing focus on their namesake product. We know there are more issues to be fixed, but Oracle is clearly focusing their energy on other products, like Fusion Middle Ware with 22 fixed issues and the Sun Product Suite with 25 fixed issues.”

“The highest CVSS score for the Database fixes is 5.0 and 3 of them are remotely exploitable without authentication,” Rothacker added. “5.0 is a low CVSS score for a remotely w/o auth exploitable vulnerability, which makes me guess that these vulnerabilities do not allow a confidentiality compromise, but are most likely denial of service level vulnerabilities.”

"The highest CVSS score in the overall CPU is 10.0 and is assigned to a Fusion Middle Ware fix. 10.0 means a complete compromise of the software and the server," he continued.

Oracle said the patch update contains 6 new security fixes for MySQL, noting that of the vulnerabilities may be remotely exploitable without authentication. “These tend to be community fixes and Oracle is just re-packaging them,” Rothacker said.

Oracle’s July 2012 Critical Patch Update is set to be released on Tuesday, July 17, 2012 and affects the following products and components, according to Oracle:

Affected Products and Components Security vulnerabilities addressed by this Critical Patch Update affect the following products:

• Oracle Database 11g Release 2, versions,

• Oracle Database 11g Release 1, version

• Oracle Database 10g Release 2, versions,,

• Oracle Secure Backup, version,

• Oracle Fusion Middleware 11g Release 2, version

• Oracle Fusion Middleware 11g Release 1, versions,

• Oracle Application Server 10g Release 3, version

• Oracle Identity Management 10g, version

• Hyperion BI+, version 11.1.1.x

• Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier

• Oracle Map Viewer, versions,,

• Oracle Outside In Technology, versions 8.3.5, 8.3.7

• Enterprise Manager Plugin for Database 12c Release 1, versions,

• Enterprise Manager Grid Control 11g Release 1, version

• Enterprise Manager Grid Control 10g Release 1, version

• Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3

• Oracle E-Business Suite Release 11i, version

• Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2

• Oracle AutoVue, versions 20.0.2, 20.1

• Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1

• Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52

• Oracle Siebel CRM, versions 8.1.1, 8.2.2

• Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3

• Oracle Sun Product Suite

• Oracle MySQL Server, versions 5.1, 5.5

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.