Oracle CPU April 2012 – Pre-release

Oracle has pre-released its quarterly Critical Patch Update (CPU) coming on April 17. There will be 88 security patches covering over 30 product lines, including its Oracle database servers and the products acquired through Sun, the Solaris OS and the MySQL database.

A large number, 33, of the 88 patches are for the most critical class of vulnerabilities, Remote Code Execution (RCE) vulnerabilities, which are software flaws that allow a remote attacker to exploit the targeted software without prior authentication. Compare this to last quarter’s release, which had 16 RCEs in 78 patches. Of the mainstream software lines, only MySQL and the Siebel Clinic product are not affected by the RCE type vulnerabilities; system administrators and users of all other software lines should be prepared to review the release with care next Tuesday.

Oracle Java will not be updated next Tuesday. Oracle releases it on a separate schedule and last updated it in February 2012. The February release closed a number of critical flaws, one of which was much discussed in the recent weeks due to its use in the attacks against Mac OS X