Updated below: Oracle said Thursday that its latest batch of patches will fix 27 security fixes "across hundreds of Oracle products," including eight for the company's database, seven for its e-business suite and six for its application server.
In its advisory, Oracle outlines a laundry list of software affected. Here's the roll call:
- Oracle Database 11g, version 126.96.36.199
- Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 188.8.131.52, 184.108.40.206DV
- Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0
- Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
- Oracle Application Server 10g (9.0.4), version 220.127.116.11
- Oracle Collaboration Suite 10g, version 10.1.2
- Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3
- Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
- Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6
- Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
- Oracle PeopleSoft Enterprise Human Capital Management versions 8.9, 9.0 (Absence Management Module)
The most critical fixes of the bunch are for Oracle's application server and e-business suite. Although Oracle has eight fixes planned for database none can be exploited remotely.
Five of the six vulnerabilities in Oracle Application Server "may be remotely exploited without authentication, i.e. may be exploited over a network without the need for a username and password."
Oracle said the Application Server components affected are Oracle BPEL Worklist Application, Oracle Forms, Oracle Internet Directory, Oracle JDeveloper and Oracle JInitiator.
As for the Oracle E-Business Suite, Oracle has seven security fixes with three that can be remotely exploited.
Update: Secunia is reporting a "highly critical" Oracle Siebel SimBuilder NCTAudioFile2 ActiveX control buffer overflow that is unpatched. In the advisory, Secunia notes:
A vulnerability has been discovered in Oracle Siebel SimBuilder, which can be exploited by malicious people to compromise a user's system.
The software affected includes Oracle Siebel CRM 7.x and Oracle Siebel SimBuilder 7.x. It remains to be seen if Oracle's patch release will take care of this vulnerability.