The vulnerability count for Oracle software is on the rise with the latest April Critical Patch Update (CPU) fixing a total of 41 vulnerabilities.
The list of fixes tops Oracle’s last quarterly patch of 26 fixes issued in January.
The new security patch does, however, add in updates for Oracle’s Siebel product line, which had not been in previous CPU’s.
In Oracle’s April 2007 update, Oracle patched 36 issues across the Oracle product lineup.
Oracle’s namesake database leads the vulnerability count this time with a total of 17 new fixes.
“It looks like the number of affected database components is larger this time than previous times including patches in the core RDBMS engine and query optimizer,” Slavik Markovich, CTO of Sentrigo commented. “What’s really interesting is that two of the vulnerabilities can be remotely exploited without authentication which basically means that your database is a sitting duck unless you deploy this patch. The last we saw of those was, I believe, 2 CPUs ago.”
The rest of Oracle’s April CPU patch haul is spread unevenly across Oracle products. Oracle E-Business Suite gets 11 new security fixes, 7 of which may be remotely exploited without authentication. Oracle Application Server receives 3 security fixes all of which are remotely exploitable without authentication. The PeopleSoft-JD Edwards Suite is being patched for 3 new security issues. Oracle Enterprise Manager rounds out the list of the usual Oracle products in a CPU with 1 new security fix.
The April CPU marks the debut of new entry into the product lineup that gets fixed in the CPU cycle — Oracle’s Siebel CRM Applications. The April CPU provides 6 fixes for the Oracle Siebel Enterprise Suite, 3 of the vulnerabilities could have been remotely exploited without authentication.