Are you ready for another batch of Oracle CPU?
CPU (Critical Patch Update) is a collection of patches for multiple security vulnerabilities and usually cumulative. But it is always advisable to review Prior CPU Advisories for earlier published security fixes.
Oracle has just released CPU for January 2016 which has 248 new security fixes throughout Oracle Products, this is record breaking number so far.
Previous CPU Advisories:
Here is the breakdown of Oracle Products affected:
As seen in the chart above, Oracle E-Business Suite is by far the front runner with 78 Security Fixes.
The majority of Oracle E-Business Suite fixes are Remote Exploit without Authentication. There are around 21 fixes affecting the newer versions of Oracle E-Business Suite R12.2. (Much discussed about its Online Patching Capability)
Oracle GoldenGate has 2 with 10.0 Base Score, but only on Windows for Database versions prior to 12c and Oracle Java has 3 with 10.0 Base Score
Next in line is in Oracle Database Server with 9.0 Base Score. The affected component is JVM with “create session” Privilege on Windows Platform. I have seen it used loosely within organizations, providentially it’s not Remotely Exploitable without Authentication.
To take advantage of Critical Patch Update, you should keep Oracle Product Versions Upgraded and up to date with latest releases and apply Critical Patch Updates as soon as possible.
Critical Patch Update Schedule:
Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and January. The next four dates are:
19 April 2016
19 July 2016
18 October 2016
17 January 2017