In the latest critical patch update, Oracle has issued 26 fixes for its range of products. Out of the 26 fixes, 9 repair flaws that can be somewhat vulnerable.
The Redwood City, Calif.-based enterprise software maker has asked administrators to fix their machines at the earliest, notes the company in an advisory issued that lists the problems.
In a blog post, Oracle said:
While none of the Oracle Database Server fixes requires patching the database client-only installations, this Critical Patch Update includes fixes for six Oracle Application Server vulnerabilities, and two of these fixes are for client installations. The two Application Server client fixes address severe vulnerabilities affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser. These two vulnerabilities have received a CVSS score of 9.3 because they could allow an attacker to gain full control of the targeted client (e.g. a laptop or workstation) at the Operating System level. Note however that these two vulnerabilities cannot be used to exploit a server.
Apparently, 5 out of the 6 flaws in Oracle’s Application Server that will be fixed on Tuesday’s round of updates, can be exploited over a network without the requirement of a username or password.
In fact, 3 out of the 7 problems in the E-Business Suite and Applications and 1 out of the 4 vulnerabilities in PeopleSoft Enterprise PeopleTools are susceptible by the same risk.
Coming to the other products, the update includes one patch for Oracle’s Collaboration Suite and eight for the other several Database products.
Oracle employs standardized metrics to identify the severity level of its security bugs. Named the Common Vulnerability Scoring System (CVSS), this standard was developed by the Forum of Incident Response and Security Teams (FIRST). It offers an open method for communicating the traits and effects of IT flaws.
Oracle stated that the highest CVSS base score of vulnerabilities across all products in Tuesday’s forthcoming patch cycle is 6.8 for application servers and as mentioned in the blog post 9.3 for application server clients (with 10 being the most critical).
Interestingly, just yesterday we reported that several Oracle Database Professionals do not apply security patches, as per a survey finding.