The affected products, numbering 21 in total, include Oracle Database 9i Release 2, 10g, 10g Release 2, 11g, Oracle Application Server 10g, and Oracle WebLogic Server. Six of the security patches deal with vulnerabilities that permit access to the Oracle Database without requiring a user name or password, according to the company. Also susceptible to outside attacks not requiring authentication are Oracle's BEA products including JRockit and WebLogic.
Until the application of the Oracle Critical Patch Update, common network access control products, including reverse proxies and firewalls, which are typically deployed around sensitive systems, can serve to "greatly reduce" the risks posed by these vulnerabilities, Maurice wrote. He said such network security tools can prevent hackers from remotely exploiting these vulnerabilities.
This is the first time that three fixes for Oracle's core database received the highest vulnerability rating. The ratings are determined by the Common Vulnerability Scoring System (CVSS), which was established by the National Institute of Standards and Technology, Carnegie Mellon University and other security groups. A 10 rating denotes vulnerabilities in the "high" severity range, with ratings between 7 and 10 considered high, while medium severity is between 4 and 6.9.
Oracle's next scheduled quarterly CPU is Jan. 12, 2010, with another three scheduled in 2010, on April 13, July 13 and October 12.