Today, July 15th, Oracle will release its quarterly critical patch update. They have now published the pre-release announcement. The highest CVSS score of all vulnerabilities patched is 6.8 (6.5 is the maximum for the Oracle Database itself).
Below is the list of software planned to be affected, quoted from their announcement:
- Oracle Database 11g, version 126.96.36.199
- Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 188.8.131.52, 184.108.40.206DV
- Oracle Database 9i, version 220.127.116.11 FIPS+
- Oracle TimesTen In-Memory Database version 18.104.22.168.0
- Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
- Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
- Oracle Application Server 10g (9.0.4), version 22.214.171.124
- Oracle Application Server 9i Release 1, version 126.96.36.199
- Oracle Hyperion BI Plus versions 188.8.131.52, 184.108.40.206, and 220.127.116.11
- Oracle Hyperion Performance Suite versions 18.104.22.168, and 22.214.171.124
- Oracle E-Business Suite Release 12, version 12.0.4
- Oracle E-Business Suite Release 11i, version 126.96.36.199
- Oracle Enterprise Manager Database Control 11i version 188.8.131.52
- Oracle Enterprise Manager Database Control 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
- Oracle Enterprise Manager Database Control 10g Release 1, version 10.1.0.5
- Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6
- Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18, 8.49.12
- Oracle PeopleSoft Enterprise CRM version 8.9, 9.0
- Oracle WebLogic Server 10.0 released through MP1
- Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
- Oracle WebLogic Server 8.1 released through SP6
- Oracle WebLogic Server 7.0 released through SP7
- Oracle WebLogic Server 6.1 released through SP7
Oracle notes that this is the first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware.
It should be noted that the CVSS for application software vulnerabilities such as a database are generally lower, but not necessarily less critical in specific environments. A bug may not give access to the underlying operating system, but in the case of a database we tend to be more worried about the data housed there than other software running on the same system.
We recommend reviewing the pre-release announcement, and subsequent release, closely, and prioritize patching according to your specific environment's requirements.