Oracle on Tuesday delivered 41 patches--including two that are rated the highest risk--for a wide range of products.
According to the Oracle security team blog:
This Critical Patch Update (CPU) addresses a total of 41 vulnerabilities affecting Oracle Database Server, Oracle Application Express, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise, and Oracle Siebel CRM Applications. Fifteen of these vulnerabilities are specific to Oracle Database Server (an additional two affects Application Express). Note however that a number of these Database Server vulnerabilities affect optional Database Server components, and only one of these Database Server vulnerabilities can be remotely exploitable without authentication.
Specifically, the patch haul, which was expected, covers the following products:
- Oracle Database 11g, version 126.96.36.199
- Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 188.8.131.52, 184.108.40.206DV
- Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
- Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
- Oracle Application Server 10g (9.0.4), version 220.127.116.11
- Oracle Collaboration Suite 10g, version 10.1.2
- Oracle E-Business Suite Release 12, version 12.0.4
- Oracle E-Business Suite Release 11i, version 18.104.22.168
- Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09
- Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
- Oracle Siebel SimBuilder versions 7.8.2, 7.8.5
All the details are on Oracle's patch roundup. Good luck with it: Oracle's approach isn't the most user friendly on the planet. The risk matrix is especially complicated. Oracle's outline of patches makes Microsoft's grid look easy.