Oracle Patch Update October 2016 (Database Server)
Oracle have released their latest critical patch update for Database Server yesterday evening (18/10) and one of the major points of note is that this is that first release that doesn’t include bug fixes for customers on 12.1.0.1.
As you can see from the below table Standard Edition 12.1 (SE & SE1) ended Premier Support last month and there is no option for extended support. The end of Premier Support means that Oracle will not offer fixes for new issues. Typically a customer can purchase extended support as with 11.2, however, as this option is not available, customers operating 12.1.0.1 will need to move to SE2. This move should not to be undertaken without due consideration as SE2 is effectively a different product SKU and is impacted by different licensing constraints. For a full view of the SE changes, please read our SE2 guide.
Support coverage for Oracle Database Releases
This Oracle Critical Patch Update includes 9 new security fixes for Oracle Database impacting the below supported versions:
- Oracle Database Server 11.2.0.4
- Oracle Database Server 12.1.0.2
Vulnerability CVE-2010-5312 which relates to the APEX component may be exploitable remotely without authentication, this means that it may be exploited over a network without the need for u/name & password credentials.
The following components are impacted:
- Application Express
- Kernel PDB
- OJVM (score of 9.1)
- RDBMS Programmable Interface
- RDBMS Security
- RDBMS Security and SQL*Plus
Please see the full Oracle advisory here http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixDB as there are also vulnerabilities noted with Secure Backup and Big Graph.