Oracle Critical Patch Update Announcement for July 2012 Review

Oracle has provide his Critical Patch Update (CPU) Pre-Release Announcement for July 2012 how will be released on Tuesday, July 17. This CPU contains 88 security vulnerability fixes across hundreds of Oracle products… Some of the vulnerabilities affect multiple Oracle products. On the 88 security vulnerabilities and 37 of them may be remotely exploitable without authentication, this represent 42% of the vulnerabilities. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Fusion Middleware.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

4 vulnerabilities are reported for “Oracle Database Server” and 3 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected components are “Core RDBMS” and “Network Layer“.

Oracle Application Express Listener

1 vulnerability his reported for “Oracle Application Express Listener” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 7.8. Affected component is “Oracle Application Express Listener“.

Oracle Secure Backup

2 vulnerabilities are reported for “Oracle Secure Backup” and both may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “Apache” and “PHP“.

Oracle Fusion Middleware

22 vulnerabilities are reported for “Oracle Fusion Middleware” and 8 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 10.0. Affected components are “Enterprise Manager for Fusion Middleware“, “Oracle HTTP Server“, “Oracle JRockit“, “Oracle MapViewer“, “Oracle Outside In Technology” and “Portal“.

Oracle Hyperion

1 vulnerability his reported for “Oracle Hyperion” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component is “Hyperion BI+“.

Oracle Enterprise Manager Grid Control

1 vulnerability his reported for “Oracle Enterprise Manager Grid Control” and this vulnerability may be remotely exploitable without authentication. The CVSS score of this vulnerability is 6.8. Affected component is “Enterprise Manager for Oracle Database“.

Oracle E-Business Suite

4 vulnerabilities are reported for “Oracle E-Business Suite”  and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle Application Object Library” and “Oracle E-Business Intelligence“.

Oracle Supply Chain Products Suite

5 vulnerabilities are reported for “Oracle Supply Chain Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Oracle AutoVue” and “Oracle Transportation Management“.

Oracle PeopleSoft Products

9 vulnerabilities are reported for “Oracle PeopleSoft Products” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “PeoleSoft Enterprise PeopleTools“, “PeopleSoft Enterprise HRMS” and “PeopleSoft Enterprise PeopleTools“.

Oracle Siebel CRM

7 vulnerabilities are reported for “Oracle Siebel CRM” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “Siebel CRM“.

Oracle Industry Applications

1 vulnerability his reported for “Oracle Industry Applications” and is not remotely exploitable without authentication. The CVSS score of this vulnerability is 2.8. Affected component is “Oracle Clinical Remote Data Capture Option“.

Oracle Sun Products Suite

25 vulnerabilities are reported for “Oracle Sun Products Suite” and 17 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “GlassFish Enterprise Server“, “Oracle iPlanet Web Server“, “Solaris“, “Solaris Cluster” and “SPARC T-Series Servers“.

Oracle MySQL

6 vulnerabilities are reported for “Oracle MySQL” and none of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected component is “MySQL Server“.