Oracle Patch Update October 2015 (Database Server)

Oracle have released their latest critical patch update for Database Server and in true halloween fashion there is a goulish security vulnerability lurking in the release which is scored at 10.0 on the CVSS scoring system. CVSS is a standardised method for assessing security vulnerabilities which provides a base score between 0.0 and 10.0, where 10.0 represents the most severe vulnerability.

This Oracle Critical Patch Update includes seven new security fixes for Oracle Database impacting the below versions:

• Oracle Database Server 11.1.0.7
• Oracle Database Server 11.2.0.3
• Oracle Database Server 11.2.0.4
• Oracle Database Server 12.1.0.1
• Oracle Database Server 12.1.0.2

The Oracle Database Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

• Database Scheduler: 9.0 CVSS Score
• Java VM: 6.5 – 9.0  (3 vulnerabilities, 2 of which only affect Windows based systems)
• Portable Clusterware: 10.0 (!)
• RDBMS (12c only): 5.5
• XDB – XML Database: 6.5

The Portable Cluserware vulnerability carries the highest 10.0 rating mainly due to the fact that it can be remotely exploited without authentication. For managed clients, your service manager will be in touch to arrange a suitable maintenance window, as we strongly encourage the implementation of these patches.