Oracle released the tenth Critical Patch Update (CPU) yesterday. This quarter is the same as the previous ten with many patches and long hours in order to get all the security patches applied in a timely manner. Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i. For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.2 patch.
There are a number of high risk vulnerabilities that should be patches as soon as possible. From the database perspective, there are multiple vulnerabilities that can be exploited using any database account including APPLSYSPUB. For Oracle Applications, there are multiple SQL injection and cross-site scripting vulnerabilities. All implementations that are externally accessible via the Internet (i.e., iStore, iRecruitment, etc.) should look to apply the AOL security patch 6045931 as soon as possible or disable on-line help.
I will be presenting an OAUG eLearning Community Thursdays session on July 19 giving additional information on the CPU and its impact on your Oracle Applications implementation. You can sign-up for the session at -