Yesterday, Oracle released their quarterly Critical Patch Update (CPU) for April 2012. Oracle CPUs are collections of security updates, which fix security flaws in the wide-range of products Oracle offers. According to their April advisory, this quarter’s CPU fixes 88 vulnerabilities in many of their products, including
- Oracle Database
- Oracle Application Server
- Oracle Identity Manager
- Oracle JDeveloper
- Oracle PeopleSoft
- Oracle MySQL Server
- and many other products.
For a complete list of the affected Oracle products, see the “Affected Products and Components” section of their advisory.
Oracle’s advisory doesn’t describe every flaw in technical detail. However, they do describe their scopes and general impact, as well as assign each of them CVSS severity scores. The 88 vulnerabilities differ greatly in their scope and impact, but the worst of them pose a pretty critical risk. For instance, unauthenticated, remote attackers can exploit a few of the Oracle Database vulnerabilities to gain unauthorized access to your database server. The update also includes a critical fix for JRocket with the highest CVSS score of 10.
If you manage any of the Oracle products listed in their April CPU advisory, I recommend you visit the Patch Availably section of their alert, and download, test and deploy the appropriate updates as soon as you can. — Corey Nachreiner, CISSP (@SecAdept).