Oracle releases huge Critical Patch Updates

In a move that some industry media are chalking up to a following of Microsoft’s lead, “business software giant Oracle is now giving system administrators a heads-up on its upcoming security patches.”

Today saw Oracle release patches for some 52 security vulnerabilities in Oracle’s Application Server, e-Business Suite, Enterprise Manager and PeopleSoft. Reportedly, this marks the first instance of Oracle offering such advance notification, though Microsoft has been using an early warning system since 2004. Today marked the first quarterly release of such patches for 2007.

The breakdown of critical patch updates looks something like the following.

• The Oracle Database Executive Summary, with 27 new security fixes for Oracle Database products, 10 of which may be remotely exploitable without the need for a username and password. Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update include Advanced Queuing; Advanced Replication; Advanced Security Option; Change Data Capture; Data Guard; Export; Log Miner; NLS Runtime; Oracle HTTP Server; Oracle Net Services; Oracle Process Management & Notification; Oracle Spatial; Oracle Streams; Oracle Text; Oracle Workflow Cartridge; Recovery Manager; and XMLDB.

• The Oracle Application Server Executive Summary contains 12 new security fixes for Oracle Application Server, 8 of which may be remotely exploitable without authentication. Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update include Oracle Containers for J2EE; Oracle HTTP Server; Oracle Internet Directory; Oracle Process Management & Notification; Oracle Reports Developer; and Oracle Workflow Cartridge.

• The Oracle Collaboration Suite Executive Summary, which contains 14 Oracle Application Server vulnerabilities that are in components included in Oracle Collaboration Suite. 11 of these vulnerabilities may be remotely exploitable without authentication.

• The Oracle E-Business Suite and Applications Executive Summary with seven new security fixes for the Oracle E-Business Suite. The Oracle E-Business Suite components affected here include Oracle Application Object Library; Oracle Exchange; Oracle HTTP Server; Oracle Human Resources; Oracle iStore; Oracle Payables; Oracle Reports Developer; Oracle Trading Community Architecture; Oracle Web Applications Desktop Integrator; and Oracle Workflow Cartridge.

• The Oracle Enterprise Manager Executive Summary contains six new security fixes for Oracle Enterprise Manager, five of which may be remotely exploitable without authentication.Vulnerable Oracle Enterprise Manager components include Database Cloning & Data Guard Management; Enterprise Manager Console; and Oracle Agent.

• Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary contains three fixes for Oracle PeopleSoft Enterprise. This one cleans up PeopleTools.

Complete information on the Oracle CPUs is available here.