Oracle Corp. fixed 51
security flaws with the release of its
January Critical Patch Update (CPU) Tuesday, one less than the
company had originally planned for. Attackers could exploit many
of the flaws to compromise vulnerable systems from remote
locations without a username or password.
The CPU includes 17 fixes for Oracle Database, one of which an
attacker could remotely exploit without the need for a username and
password. Nine flaws are addressed in Oracle HTTP Server, eight of
which are remotely exploitable. Twelve fixes address flaws in
Oracle Application Server, eight of which attackers could remotely
exploit without a username or password.
The database giant released seven fixes for flaws in Oracle
E-Business Suite, including one in the Oracle Workflow Cartridge.
"None of these vulnerabilities may be remotely exploited without
authentication," Oracle said in the CPU bulletin. The company also
addressed flaws in Oracle PeopleSoft Enterprise PeopleTools and
Oracle Enterprise Manager.
Last week, in its first-ever
advance bulletin, the Redwood City,
Calif.-based database giant predicted that it would fix 52
flaws.
Eric Maurice, Oracle's manager for security, said in the
company's corporate blog that a problem was found in one
of the database fixes.
"Per our policy, which is intended to ensure that all customers
have an equal security posture, we removed the fix from the January
CPU," he said. "We are working to resolve this issue to release the
fix on all supported database versions with the next CPU in
April."
Oracle will release the next CPU April 17.