Oracle has published the first Critical Patch Update in 2017. It’s quite a huge update with not less than 270 new security vulnerability fixes across the Oracle products. For the Oracle Database itself are 5 security fixes available respectively 2 security fixes for the Oracle Database Server and 3 security fixes for Oracle Secure Backup and Oracle Big Data Graph.
Neither of the two vulnerabilities for Oracle Databases are remotely exploitable without authentication. None of these fixes are applicable to client-only installations.
The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0. The following components are affected:
- OJVM
- RDBMS Security / Local Logon
Over all the PSU for Oracle Database Server itself is relatively small. The tests for the Trivadis CPU-Report will show if there are any issues with this PSU respectively SPU.
It seems that a bunch of Patch’s are not yet available. Oracle list the follow Post Release Patches beside the PSU and SPU for Oracle Database Server 11.2.0.4.
| Patch Number | Patch | Platform | Availability |
|---|---|---|---|
| 24968615 | Database Proactive Bundle Patch 12.1.0.2.170117 | HP-UX Itanium (64-Bit) & AIX (64-Bit) | Expected: Wednesday 18-Jan-2017 |
| 25395111 | Oracle Application Testing Suite BP 12.5.0.1 | All Platforms | Expected: Wednesday 18-Jan-2017 |
| 25115951 | Microsoft Windows BP 12.1.0.2.170117 | Windows 32-Bit and x86-64 | Expected: Tuesday 24-Jan-2017 |
| 25112498 | Oracle JavaVM Component Microsoft Windows Bundle Patch 12.1.0.2.170117 | Windows 32-Bit and x86-64 | Expected: Tuesday 24-Jan-2017 |
| 24918318 | Quarterly Full Stack download for Exadata (Jan2017) BP 12.1.0.2 | Linux x86-64 and Solaris x86-64 | Expected: Thursday 26-Jan-2017 |
| 24918333 | Quarterly Full Stack download for SuperCluster (Jan2017) BP 12.1.0.2 | Solaris SPARC 64-Bit | Expected: Thursday 26-Jan-2017 |
More details about the patch will follow soon on the Oracle Security Pages.
25115951 Patch not found on Oracle site?
Hi yes it’s still not available. MOS Note 2203916.1, 756671.1 and 25115951.8 do list this patch as latest Bundle Patch for Windows. I’m not sure if this is nn purpose or by accident. I would recommend you open an SR asking for the patch. I myself had so far no time to open an SR.
Cheers
Stefan
MOS Note 2203916.1 mentions an expected date of 24-Jan for the Windows patch (see 2.3 Post Release Patches), but until now patch is not available.