Today, July 15th, Oracle will release its quarterly critical patch update. They have now published the pre-release announcement. The highest CVSS score of all vulnerabilities patched is 6.8 (6.5 is the maximum for the Oracle Database itself).
Below is the list of software planned to be affected, quoted from their announcement:
- Oracle Database 11g, version 22.214.171.124
- Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 126.96.36.199, 188.8.131.52DV
- Oracle Database 9i, version 184.108.40.206 FIPS+
- Oracle TimesTen In-Memory Database version 220.127.116.11.0
- Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
- Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
- Oracle Application Server 10g (9.0.4), version 18.104.22.168
- Oracle Application Server 9i Release 1, version 22.214.171.124
- Oracle Hyperion BI Plus versions 126.96.36.199, 188.8.131.52, and 184.108.40.206
- Oracle Hyperion Performance Suite versions 220.127.116.11, and 18.104.22.168
- Oracle E-Business Suite Release 12, version 12.0.4
- Oracle E-Business Suite Release 11i, version 22.214.171.124
- Oracle Enterprise Manager Database Control 11i version 126.96.36.199
- Oracle Enterprise Manager Database Control 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
- Oracle Enterprise Manager Database Control 10g Release 1, version 10.1.0.5
- Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6
- Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18, 8.49.12
- Oracle PeopleSoft Enterprise CRM version 8.9, 9.0
- Oracle WebLogic Server 10.0 released through MP1
- Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
- Oracle WebLogic Server 8.1 released through SP6
- Oracle WebLogic Server 7.0 released through SP7
- Oracle WebLogic Server 6.1 released through SP7
Oracle notes that this is the first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware.
It should be noted that the CVSS for application software vulnerabilities such as a database are generally lower, but not necessarily less critical in specific environments. A bug may not give access to the underlying operating system, but in the case of a database we tend to be more worried about the data housed there than other software running on the same system.
We recommend reviewing the pre-release announcement, and subsequent release, closely, and prioritize patching according to your specific environment's requirements.
Jul 15th 2008