Oracle plans to patch 78 vulnerabilities across hundreds of its products as part of its upcoming quarterly critical patch update (CPU). The highest CVSS rating for this CPU is 10.0 for more than one product in Oracle’s portfolio according to this pre-release announcement. The CPU is expected to be released on July 19.
The July CPU will carry updates to Oracle Database 11g & 10g, Oracle Fusion Middleware, Oracle Application Server, Oracle BI Enterprise Edition, Oracle Identity Management, Oracle Enterprise Manager 11g & 10g, Oracle E-Business Suite Release 12 & 11, Oracle PeopleSoft product-line and the Oracle Sun Product Suite, including Solaris, SPARC and VirtualBox.
This CPU addresses 13 issues in Oracle’s flagship database software, two of which can be remotely exploited without requiring authentication. The highest CVSS base score for database is 7.1. Three fixes have been released for Oracle Secure Backup, all of which are rated critical or 10.0 under CVSS, and are remotely exploitable.
There are expected to be seven major fixes in the Fusion middleware product line, with Oracle JRockit having the highest CVSS rating of 10.0. Nine out of 18 vulnerabilities reported in the Enterprise Manager Grid Control product line may be remotely exploited without authentication, and carry the highest CVSS score of 6.8
The PeopleSoft product suite has 12 patches, of which only one addresses a critical remotely exploitable vulnerability. The Sun product suite comes last, with a massive 23 fixes (of which nine are critical). The highest CVSS score is 10, which includes patches for SPARC processors and the Solaris operating system.
In all, 27 vulnerabilities of the 78 vulnerabilities being addressed by this CPU are rated critical or remotely exploitable without requiring any authentication. More details about specific products may be found on the Oracle website. This CPU does not address vulnerabilities in Oracle’s Java product lineup, which has its own update cycle, and is not included in the update cycle for Sun products.