Oracle To Issue 88 Security Fixes in July 2012 Critical Patch Update

Database giant Oracle on Thursday issued its pre-release announcement for its July 2012 Critical Patch Update, saying it would issue 88 new security vulnerability fixes across hundreds of Oracle products.

As part of the update, Oracle will issue 4 new security fixes for vulnerabilities in the company’s flagship Oracle Database Server, 3 of which may be remotely exploitable without authentication.

Commenting on the once-again low number of security fixes focused on the Oracle Database, Alex Rothacker, Director of Security Research at Application Security, Inc. told SecurityWeek, “This is really disappointing to me and continues the trend of Oracle loosing focus on their namesake product. We know there are more issues to be fixed, but Oracle is clearly focusing their energy on other products, like Fusion Middle Ware with 22 fixed issues and the Sun Product Suite with 25 fixed issues.”

“The highest CVSS score for the Database fixes is 5.0 and 3 of them are remotely exploitable without authentication,” Rothacker added. “5.0 is a low CVSS score for a remotely w/o auth exploitable vulnerability, which makes me guess that these vulnerabilities do not allow a confidentiality compromise, but are most likely denial of service level vulnerabilities.”

“The highest CVSS score in the overall CPU is 10.0 and is assigned to a Fusion Middle Ware fix. 10.0 means a complete compromise of the software and the server,” he continued.

Oracle said the patch update contains 6 new security fixes for MySQL, noting that of the vulnerabilities may be remotely exploitable without authentication. “These tend to be community fixes and Oracle is just re-packaging them,” Rothacker said.

Oracle’s July 2012 Critical Patch Update is set to be released on Tuesday, July 17, 2012 and affects the following products and components, according to Oracle:

Affected Products and Components Security vulnerabilities addressed by this Critical Patch Update affect the following products:

• Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3

• Oracle Database 11g Release 1, version 11.1.0.7

• Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5

• Oracle Secure Backup, version 10.3.0.3, 10.4.0.1

• Oracle Fusion Middleware 11g Release 2, version 11.1.2.0

• Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6

• Oracle Application Server 10g Release 3, version 10.1.3.5

• Oracle Identity Management 10g, version 10.1.4.3

• Hyperion BI+, version 11.1.1.x

• Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier

• Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6

• Oracle Outside In Technology, versions 8.3.5, 8.3.7

• Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2

• Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1

• Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5

• Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3

• Oracle E-Business Suite Release 11i, version 11.5.10.2

• Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2

• Oracle AutoVue, versions 20.0.2, 20.1

• Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1

• Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52

• Oracle Siebel CRM, versions 8.1.1, 8.2.2

• Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3

• Oracle Sun Product Suite

• Oracle MySQL Server, versions 5.1, 5.5