Today Oracle has published the Pre-Release Announcement for the July 2018 Critical Patch Update. It’s quite a heavy update with not less than 334 security vulnerability fixes across the Oracle products. The Oracle database is relatively prominently represented with 3 security vulnerabilities and a maximal CVSS rating of 9.8. Of the vulnerabilities is remotely exploitable without authentication. But none of the security bug fixes is for client-only installations. So you just have to patch your database servers.
Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Pre-Release Announcement. But since there are updates for Oracle WebLogic, Oracle Java and Oracle Internet Directory, I assume there will follow a patch update for Oracle Unified Directory in a couple of days.
The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:
- Core RDBMS
- Java VM
- Oracle Spatial (jackson-databind)
We will see all the details next Tuesday when Oracle is officially releasing the Critical Patch Update for July 2018. Next week I’ll have a closer look and do some test installations. I am particularly interested in why there is a patch for Oracle Database Server 18.2. Still just Oracle Cloud and Exadata or will we soon see an Oracle Database release 18c for on-premises?
More details about the patch will follow soon on the Oracle Security Pages.