January 2008 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jan 15, 2008
Hello, this is Eric Maurice again!
Oracle today released the January 2008 Critical Patch Update (CPUJan2008). This Critical Patch Update (CPU) addresses a total of 26 vulnerabilities affecting Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, and Oracle PeopleSoft Enterprise. Eight of these vulnerabilities are specific to Oracle Database Server, including one vulnerability affecting Oracle Database Server 11g on Linux.
While none of the Oracle Database Server fixes requires patching the database client-only installations, this Critical Patch Update includes fixes for six Oracle Application Server vulnerabilities, and two of these fixes are for client installations. The two Application Server client fixes address severe vulnerabilities affecting JInitiator, a web browser extension that enables end users to run Oracle Forms Services applications within their browser. These two vulnerabilities have received a CVSS score of 9.3 because they could allow an attacker to gain full control of the targeted client (e.g. a laptop or workstation) at the Operating System level. Note however that these two vulnerabilities cannot be used to exploit a server.
The Critical Patch Updates and Security Alerts page on Oracle Technology Network provides detailed information about this CPU, as well as previous CPUs and Security Alerts. Oracle MetaLink Note 394487.1 (subscription to MetaLink required) explains Oracle's implementation of the CVSS standard. The Resource Library on the Oracle Software Security Assurance web site also provides a number of links to useful security resources.