Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.
The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:
- RDBMS Security / Local Logon
Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.
It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 18.104.22.168.
|24968615||Database Proactive Bundle Patch 22.214.171.124.170117||HP-UX Itanium (64-Bit) & AIX (64-Bit)||Expected: Wednesday 18-Jan-2017|
|25395111||Oracle Application Testing Suite BP 126.96.36.199||All Platforms||Expected: Wednesday 18-Jan-2017|
|25115951||Microsoft Windows BP 188.8.131.52.170117||Windows 32-Bit and x86-64||Expected: Tuesday 24-Jan-2017|
|25112498||Oracle JavaVM Component Microsoft Windows Bundle Patch 184.108.40.206.170117||Windows 32-Bit and x86-64||Expected: Tuesday 24-Jan-2017|
|24918318||Quarterly Full Stack download for Exadata (Jan2017) BP 220.127.116.11||Linux x86-64 and Solaris x86-64||Expected: Thursday 26-Jan-2017|
|24918333||Quarterly Full Stack download for SuperCluster (Jan2017) BP 18.104.22.168||Solaris SPARC 64-Bit||Expected: Thursday 26-Jan-2017|
More details about the patch will follow soon on the Oracle Security Pages.