Oracle plans to release 41 security fixes on Tuesday as part of its quarterly Critical Patch Update (CPU). The patches repair about a dozen serious flaws across its product line.
In the Oracle prerelease announcement to customers, the vendor said the CPU contains 10 new security vulnerability fixes for the Oracle Database. The flaws can be found in Job Queue, Oracle OLAP, Oracle Spatial and Oracle Streams. They affect Oracle Database 9i, 10g and 11g.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the Redwood Shores, Calif.-based vendor said in its prerelease announcement.
The CPU contains a security vulnerability fix for the Oracle Times Ten Data Server. A flaw in the real-time, in-memory database could be exploited remotely without authentication, Oracle said. It has the Common Vulnerability Scoring System (CVSS) base score of the vulnerability is 7.5.
Nine new security vulnerability fixes are planned for Oracle Secure Backup, Oracle's tape backup management software. Oracle said all the vulnerabilities may be remotely exploited without authentication. The highest CVSS base score affecting Oracle Secure Backup is 10.0 for Windows versions of the product and 7.5 for all other platforms.
Four security fixes are reserved for the Oracle Application Server. Oracle said two of them could be remotely exploitable without authentication. The highest CVSS score for the vulnerabilities was 5.0.
One fix addresses an issue with the Oracle Collaboration Suite, which provides tools and features for enterprise messaging. Oracle said the Collaborative Workspaces component of Oracle Collaboration Suite is affected by the vulnerability. Collaborative Workspaces is a program interface built on top of the collaboration suite. It allows users to share documents, schedule meetings and complete projects via a forum or email.
The CPU also has four security fixes for the Oracle E-Business Suite. Vulnerabilities can be found in Oracle iProcurement, Oracle Application Object Library and the Oracle Applications Framework and Platform Engineering.
Also, five security fixes address issues within the former BEA product line. The flaws affect Oracle WebLogic Server Plugin for Apache, Sun and IIS Web servers as well as the WebLogic Portal. Oracle said the vulnerabilities could be exploited by an attacker without authentication. The highest CVSS base score of vulnerabilities affecting Oracle WebLogic Server is 10.0 for the WebLogic Server Plugin for Apache, Sun and IIS Web servers.
Oracle released 36 security fixes in October. It patched a dangerous WebLogic flaw and 15 critical database holes.