Oracle has recently published the Critical Patch Update Advisory for the October 2018. It’s once more quite a heavy update with not less than 301 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. The problem CVE-2018-3259 with such a high CVSS rating is related to OJVM and affects all Oracle releases on various platforms. In addition, two of the vulnerabilities are remotely exploitable without authentication. None of the security bug fixes are for client-only installations. So you just have to patch your database servers.
Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Advisory. But the MOS note 2385785.1 Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version does provide information on the latest bundle patch for OUD. Beside this patch, There are updates for Oracle WebLogic and Oracle Java as well (see links below).
The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:
- Oracle Text
- Java VM
- Rapid Home Provisioning
Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.
For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 56 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.
A few links related to this Critical Patch Update.
- Critical Patch Updates and Security Alerts
- Oracle Critical Patch Update Advisory – October 2018.
- Critical Patch Update (CPU) Program October 2018 Patch Availability Document (PAD)[2433477.1]
- Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version[2385785.1]
- Information And Bug Listing of Oracle Unified Directory Bundle Patches: 11.1.2.3.x (11gR2PS3) Version[2067482.1]
- Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS)[1470197.1]
- All Java SE Downloads on MOS[1439822.1]
- TVD-Critical Patch Report
hi
thanks for your site with so many informations.
I have just patched a 11204 database wirh the CPU October 2018 for SolarisSparc.
and at the end, the comments insert by catcpubundle.sql in the registry history is that i have applied the CPU October 2017.
????????????????
I don’t understand.