Oracle as expected released its quarterly batch of security fixes Tuesday.
Oracle today released the January 2008 Critical Patch Update (CPUJan2008). This Critical Patch Update (CPU) addresses a total of 26 vulnerabilities affecting Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Eight of these vulnerabilities are specific to Oracle Database Server, including one vulnerability affecting Oracle Database Server 11g on Linux.
While none of the Oracle Database Server fixes requires patching the database client-only installations, this Critical Patch Update includes fixes for six Oracle Application Server vulnerabilities, and two of these fixes are for client installations. The two Application Server client fixes address severe vulnerabilities affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser. These two vulnerabilities have received a CVSS score of 9.3 because they could allow an attacker to gain full control of the targeted client (e.g. a laptop or workstation) at the Operating System level. Note however that these two vulnerabilities cannot be used to exploit a server.