Oracle released the twelfth Critical Patch Update (CPU) yesterday. This quarter is the same as the previous eleven with many patches and long hours in order to get all the security patches applied in a timely manner. Fortunately like last quarter, this quarter there are no patches required for the Oracle Application Server or Developer 6i. For R12, Oracle has now made the Oracle Applications patches cumulative and the patch is also included in the newly released 12.0.3 patch.
This quarter does have a larger than average number of database vulnerabilities that can be exploited by lowly privileged database accounts, so the database security patch should be a priority. Also, unlike the vast majority of previous database security bugs, this quarter has 7 vulnerabilities that can be exploited without a database account. It appears most of these issues are denial of service or low risk, nevertheless, another reason to prioritize the database patch.
Oracle continues the push to keep all customers on recent versions by only certifying the CPU patches with 126.96.36.199, 10.1.0.5, 10.2.0.2, and 10.2.0.3 for the database and RUP4 or RUP5 for the Oracle E-Business Suite 11i.
Most information about the vulnerabilities and detailed recommendations on patching and testing is available at -
I will be presenting an OAUG eLearning Community Thursdays session this Thursday October 18th giving additional information on the CPU and its impact on your Oracle Applications implementation. You can sign-up for the session at -