Oracle has published the Pre-Release Announcement for the July Critical Patch Update. This Critical Patch Update contains 193 new security vulnerability fixes across all Oracle products. It looks like that this CPU does contain a bunch of critical security fixes for Oracle databases. Actually there are 10 fixes for security vulnerabilities, 2 of them are remotely exploitable. There is no security fix for client-only installations. Nevertheless the highest CVSS rating is 9.0. I wonder which OS is affected 😉
Beside the high CVSS rating, some core components seems to be affected:
- Application Express
- Core RDBMS
- Java VM
- Oracle OLAP
- RDBMS Partitioning
- RDBMS Scheduler
- RDBMS Security
- RDBMS Support Tools
We will see all the details later today, when Oracle is officially releasing the Critical Patch Update for July 2015. Together with my colleagues at Trivadis, we’ll have a closer look and do some testing. See also TVD-Critical
PatchReport™ or TVD-Trivadis eXpert Team Security
More details about the patch will follow soon on the Oracle Security Pages.