The Oracle open world 2017 is over, the dust just settled down. A perfect time for Oracle to release the October critical patch advisory. With not less than 270 new security vulnerability fixes across the Oracle products it seems to be a rather huge update. From the DB perspective it is nothing unusual. It contains 6 new security fixes for vulnerabilities on Oracle Database 11.2.0.4, 12.1.0.2 and 12.2.0.1. 2 of the vulnerabilities can be used remotely without authentication, but none of the vulnerabilities affect Oracle client installations. Overall the highest CVSS Rating is 8.8 for Oracle Database Server 11.2.0.4 on Windows respectively 7.8 for 12.1.0.2 on Windows and Linux. According to Oracle the following components are affected:

• Core RDBMS
• Java VM
• XML Database
• RDBMS Security
• Spatial (Apache Groovy)
• WLM (Apache Tomcat)

Not all of these components are installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update. OK, I guess Core RDBMS is part of you database setup 🙂

For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 40 fixes for vulnerabilities. Up to 26 vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.

More details about the patch will follow soon on the Oracle Security Pages.

• Critical Patch Updates and Security Alerts
• Oracle Critical Patch Update Advisory – October 2017
• TVD-Critical Patch Report
• Or posted here 🙂

By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.