Oracle recently released the spring Critical Patch Advisory. It is the first critical patch update, which also includes fixes for Oracle 18c. Over all it includes 254 new security fixes across the product families. Overall a rather large update, although only a security vulnerability is patched for the Oracle databases. This vulnerability is not remotely exploitable without authentication and is not applicable to client-only installations. The CVSS Rating is 8.5 for Oracle Database 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18.1.0.0 on any operating system. According to Oracle the following component is affected:
- Java VM
Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.
For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 30 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.
More details about the patch will follow soon on the Oracle Security Pages.
- Critical Patch Updates and Security Alerts
- Oracle Critical Patch Update Advisory – April 2018
- TVD-Critical Patch Report
- Or posted here 🙂
By the way, Oracle improved the table which lists the affected products and components in there advisory. Oracle Database is not a the top of the table any more.
Comment by a user via site feedback:
I tried to apply Grid Infrastructure patch set update 12.1.0.2.180417patch. On grid it update 3 patch (12.1.0.2.180417) and 1 fail to update (12.1.0.2.180116). On db_1 there is no change, all patch have the old numbers (12.1.0.2.180116).