Oracle released its January edition with patches for a majority of their product line:
- Oracle Solaris: eight vulnerabilities in Solaris itself, including CVE-2012-0094 with the highest CVSS score of 7.8 in the advisory, plus three issues in the Glassfish application server.
- Weblogic Application Server: two vulnerabilities, neither one requiring authentication MySQL Server: a total of 27 vulnerabilities in versions 5.x, with one Remote Code Execution vulnerability (CVE-2011-2262).
- Oracle Database Server: both version 10 and 11 are affected by two remote code execution vulnerabilities, one in the Listener (CVE-2012-0072) and the other one in the core RDBMS server (CVE-2012-0082).
- Oracle Applications, such as Peoplesoft and JD Edwards have a total of 14 vulnerabilities between themselves
- Oracle Virtualization software: three vulnerabilities, two in the Guest Additions and Shared Folders, which are widely used but only accessible locally.
Oracle RDMBS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all. A good map of your network will help in determining where to start.
BTW, both Oracle Enterprise Linux and Oracle Java are not covered in the CPU process and receive updates on their own distinct schedules.
Author: Wolfgang Kandek, CTO, Qualys.