Oracle has published the Pre-Release Announcement for the first Critical Patch Update in 2015. This Critical Patch Update contains 167 new security vulnerability fixes across all Oracle products. It looks like that this CPU does contain a bunch of critical security fixes for Oracle databases. Actually there are 7 fixes for security vulnerabilities, but none of them is remotely exploitable nor are they for client-only installations. Nevertheless the highest CVSS rating is 9.0. I wonder which OS is affected 😉
Beside the high CVSS rating, some core components seems to be affected:
- Core RDBMS
- Workspace Manager
- XML Developer’s Kit for C
We will see all the details later today, when Oracle is officially releasing the Critical Patch Update for January 2015. Together with my colleagues at Trivadis, we’ll have a closer look and do some testing. See also Trivadis Critical Patch Updates Report
More details about the patch will follow soon on the Oracle Security Pages.