The 51 vulnerabilities affect Oracle Database Server, Oracle Applications Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise Applications.
Oracle's last CPU came out in October of 2006 and addressed 101 new flaws. At the time, the database giant also introduced a new reporting transparency for its updates that identify when a vulnerability is actually remotely exploitable. As a result, Oracle is using Common Vulnerability Scoring System (CVSS) scores in its CPU now.
"Our use of CVSS has generated a lot of support from customers and genuine interest from the industry," Eric Maurice, manager of security in Oracle's global technology business unit, wrote on Oracle's security blog.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=i The CVSS scores in the January CPU also reveal that Oracle is reporting 51 vulnerabilities in total, but that seven of them have a CVSS "Base Metric" score of zero.
"This is because this type of vulnerability represents problems that we believe are not exploitable in a default database environment (as provided by Oracle 'out of the box')," Maurice explained. "Code that runs affected programs as a privileged user (e.g. custom code developed by customers, which passes input from an untrusted source) may be exploitable. In particular, it may allow malicious code to be run with administrative privileges."
Though the numbers aren't terrible, there are still some very serious flaws that the January update addresses. It includes some 26 patches for Oracle's database applications, 10 of which could potentially be remotely exploitable without even a username or password. Oracle's Application Server software isn't out of the woods with eight critical vulnerabilities that can also be exploited remotely without usernames or passwords.