The Critical Patch Update includes remedies for 63 flaws related to Oracle's widely-used database products. There are also patches for 14 vulnerabilities in Application Server, 13 related to E-Business Suite, 8 in PeopleSoft products, and one each in Oracle Pharmaceuticals and JD Edwards software.
"In terms of critical fixes, the majority of them lie within the application server product," said Darius Wiles, the senior manager for security alerts at Oracle. "There is a number that could be exploited both remotely and without authentication, and those are the ones that customers should be most concerned about and fix as soon as possible."
Oracle's October security update is theto contain severity ratings. Also, the alert now more clearly denotes which flaws could be exploited remotely by anonymous attackers, the most serious type of vulnerability.
Many of the issues are significant. Thirty of the Oracle Database related flaws open systems up to unauthenticated, remote attacks, according to the alert. For Application Server, 13 flaws carry that risk, as does one in E-Business Suite and one in PeopleSoft products.
Of all the database-related flaws, 35 are in Oracle Application Express, and 25 of those carry the most serious risk. Application Express is an optional installation and isn't used by many Oracle customers, Wiles said. Application Server is more widely used and as such, more systems are at risk of flaws associated with that product, he noted.
"There is a lot of fixes this time?they seem to be getting on top of the bug fixing," Pete Finnigan, a security specialist in York, England, wrote on his blog Tuesday. "I am impressed by the new style advisory; it's not perfect, it is much better than it was."
Oracle's next patch day is Jan. 16.