) will release Oracle Critical Patch Update for July 2008, on Tuesday, July 15, with 45 critical security fixes across hundreds of Oracle products.
The security fixes are offered for Oracle's database, TimesTen in-memory database, Oracle Application Server; PeopleSoft Enterprise products, Oracle Enterprise Manager Database Control, E-Business Suite, and WebLogic Server.
The Critical Patch Update includes 11 new security fixes that affect Oracle database versions within 11g, 10g, and 9i releases.
“None of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password,” said Oracle.
The Oracle Database components affected by vulnerabilities for which patches are offered are: Advanced Queuing, Advanced Replication, Authentication, Core RDBMS, Data Pump, Database Scheduler, Oracle Database Vault, and Oracle Spatial. The highest Common Vulnerability Scoring System (CVSS) base score of vulnerabilities affecting Oracle Database products is 6.5.
There are three security fixes for Oracle TimesTen In-Memory Database. All of the three vulnerabilities may be remotely exploited without authentication, according to Oracle. The highest CVSS base score of vulnerabilities affecting TimesTen In-Memory Database is 5.0.
Oracle Application Server is provided with nine new security patches for components, namely, Hyperion BI Plus (formally Hyperion Performance Suite), Oracle HTTP
Server, Oracle Internet Directory, and Oracle Portal.
Hackers can remotely exploit all these vulnerabilities without authentication.
“Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU
,” stated the company.
The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 6.8.
Oracle E-Business Suite is provided with six new security fixes. The E-Business suite uses Oracle Database and Oracle Application Server
products, which have vulnerabilities fixed in this CPU. None of these vulnerabilities may be remotely exploited without authentication.
The security patch fixes vulnerabilities in E-Business Suite components, namely, Mobile Application Server, Oracle Report Manager, Oracle iStore, Oracle Application Object Library, and Oracle Applications Technology Stack. The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 5.5.
The Critical Patch Update contains two new security fixes for Oracle Enterprise Manager components: Instance Management and Resource Manager. Neither of these vulnerabilities may be remotely exploited without authentication. The CVSS base score of the vulnerability affecting Oracle Enterprise Manager products is 3.5.
The Critical Patch Update contains seven new security fixes for Oracle PeopleSoft Enterprise products: the PeopleSoft PeopleTools. None of the vulnerabilities affecting these products can be remotely exploited without authentication. The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise products is 5.5.
There are seven new security fixes for Oracle WebLogic Server. Three of the vulnerabilities affecting Oracle WebLogic Server are remotely exploitable without authentication. The components affected for which fixes are offered are: WebLogic Server Plugins for Apache, Sun and IIS web servers and WebLogic Server. The highest CVSS base score of vulnerabilities affecting Oracle WebLogic Server is 6.8.
Oracle does not currently offer security fixes for vulnerabilities in JD Edwards products.
Rajani Baburajan is a contributing editor for TMCnet. To read more of Rajani’s articles, please visit her columnist page.