By Eric P. Maurice-Oracle on Apr 16, 2013
Hello, this is Eric Maurice.
Oracle just released the April 2013 Critical Patch Update. This Critical Patch Update provides fixes for 128 new security vulnerabilities across a wide range of product families including the Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle FLEXCUBE, Oracle Industry Applications, Oracle Primavera, Oracle and Sun Systems Product Suite (including Sun Middleware Products), Oracle MySQL, and Oracle Support Tools.
Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server. The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux). This vulnerability is limited to Oracle Database 220.127.116.11 and 18.104.22.168 operating in RAC configurations.
This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware. The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit. In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.
This Critical Patch Update includes a significant number of security fixes for Oracle Applications. This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE). Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18. In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.
As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite. 18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server. The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.
Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure).
As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained. As a reminder, Oracle also today released a Critical Patch Update for Java SE. The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.
For More Information:
The Security Advisory for the April 2013 Critical Patch Update is located at http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
The Security Advisory for the April 2013 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
More information about Oracle Software Security Assurance programs is located at http://www.oracle.com/us/support/assurance/index.html.