Oracle has recently published the Pre-Release Announcement for the CPU Patch. This Critical Patch Update contains 78 new security vulnerability fixes for several Oracle products. 2 of these fixes are just for the Oracle Database Server, but none of them is for client-only installations. The maximum CVSS base score for pure Oracle Server vulnerabilities is 5.5, which seams to be not critical. But on the other hand Oracle mention that 1 of this 2 fixes can may be remotely exploitable without authentication. If this is true, I would expect a higher CVSS rating. We will see it next week in detailed. Nevertheless the following Database Server Products are affected.
- Core RDBMS
So far the Database Server Patch’s are planned for Oracle Database 11g Release 2 (184.108.40.206,220.127.116.11), Oracle Database 11g Release (18.104.22.168), Oracle Database 10g Release 2 (10.2.0.3, 10.2.0.4, 10.2.0.5) and Oracle Database 10g Release 1 (10.1.0.5). It looks like that the first CPU in 2012 is as well the first one for 22.214.171.124.
The official release for the CPU / PSU is planned for next week 17 Januar 2012. More details about the patch will follow soon on the Oracle Security Pages: