Oracle Patches (Jan2011 CPU)

Published: 2011-01-18. Last Updated: 2011-01-18 21:17:51 UTC
by Daniel Wesemann (Version: 2)
2 comment(s)

Today, Oracle will release its quarterly patch bundle ("Jan2011 CPU").  The pre-announcement is already out, and it promises quite some "entertainment" for DBAs and Middleware Admins for the next couple weeks.  One thing that certainly stands out from the list is the vulnerability in Oracle Audit Vault with a CVSS score of 10.0, apparently remotely exploitable without authentication.  Always disappointing when a so-called security component makes the system actually more vulnerable.

We'll update this diary later, once the full information becomes available.

Update 2105 UTC:  The full advisory is now out, see www.oracle.com/technetwork/topics/security/cpujan2011-194091.html.  In addition to the already mentioned Audit Vault vulnerability, other notable problems include vulnerabilities in Oracle Fusion Middleware, a remotely exploitable hole in Sun Solaris CDE Calendar Manager Service, and also a serious problem in the PowerPoint parser for OpenOffice.  

Given the long list, it stands to hope that Oracle took the time to properly check the patches for compatibility with each other, as well as with their other product lines.

 

 

Keywords: Oracle patches
2 comment(s)

Comments

Not to be overlooked are the listing of PeopleSoft; OpenOffice Suite; and Sun Java Suites with highest CVSS ratings of 5.5; 9.3; and 10.0 respectively.

- http://www.us-cert.gov/current/#oracle_releases_critical_patch_update14
January 19, 2011
"... This update contains the following security fixes:
7 for Oracle Database Server
16 for Oracle Fusion Middleware
2 for Oracle Enterprise Manager Grid Control
16 for Oracle Applications
3 for Oracle Supply Chain Products Suite
11 for Oracle PeopleSoft and JDEdwards Suite
2 for Oracle Industry Applications
23 for Oracle Sun Products Suite
2 for Oracle Open Office Suite ..."
.

Diary Archives