Oracle to patch 38 flaws

Oracle plans to release an update on Tuesday that will patch 38 vulnerabilities across hundreds of products.

Oracle's Critical Patch Update, scheduled for 20 October, contains fixes for numerous flaws, the company said. Many of the security holes have the maximum score of 10.0 on the common vulnerability scoring system (CVSS), marking them as critical. For example, vulnerabilities affecting Oracle Core RDBMS, Oracle JRockit and Oracle Network Authentication have a CVSS score of 10.0.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," said the company in its advance notification of the update.

The business-software maker's flagship product, Oracle database, suffers from 16 flaws that will be patched by the update. Components with vulnerabilities include advanced queuing, application express and authentication.

Other products with flaws addressed by the patches include: Oracle Application Server; Oracle Applications Suite; Oracle E-Business Suite; Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne; Oracle BEA Products; and Oracle Industry Applications Products.

The Oracle update comes a week after Adobe patched 28 holes, and Microsoft plugged Windows 7 flaws in its largest-ever patch release. Like those companies, Oracle usually issues its patch bundles on the second Tuesday of the month, but delayed the October update for a week to avoid coinciding with its Oracle OpenWorld conference.