The Critical Patch Update contains 17 security fixes for the Oracle Database, three security fixes for Oracle Application Server, 11 security fixes for the Oracle E-Business Suite, one security fix for the Oracle Enterprise Manager, three security fixes for Oracle PeopleSoft Enterprise products, and six security fixes for Oracle Siebel SimBuilder products.
Of these, 15 can be exploited remotely without authentication.
The following Oracle products are affected: Oracle Database 11g, version 184.108.40.206; Database 10g Release 2, versions 10.2.0.2, 10.2.0.3; Oracle Database 10g, version 10.1.0.5; Oracle Database 9i Release 2, versions 220.127.116.11, 18.104.22.168DV; Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0; Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0; Oracle Application Server 10g (9.0.4), version 22.214.171.124 Oracle Collaboration Suite 10g, version 10.1.2; Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.4; Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2; Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16, 8.49.09; Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0; Oracle Siebel SimBuilder versions 7.8.2, 7.8.5
Security researchers have noted that cyber attacks now tend to focus more on applications than on operating system or network vulnerabilities. The number of published proof-of-concept exploits for Oracle products last year, compared to previous years, seems to support that contention.
Mil0worm.com, a security vulnerability site, listed 21 proof-of-concept exploits for Oracle software in 2007, compared to 5 in 2006 and 3 in 2005. So far in 2008, the site lists 4 Oracle-related vulnerabilities.