Wow, that’s a big one! Not so much as in the number of security bugs fixed but from the severity point of view.

Oracle fixed 30 vulnerabilities which is a bit less than the previous CPUs. Most of the problems are in the core database product and centered around the network components. The advanced queueing usual suspect also makes an appearance.

The interesting part is the 3 remotely exploitable vulnerabilities without authentication in the Network Authentication, Listener and Secure Enterprise Search (note the irony) components.

As in prevous CPUs, but even more so due to the severity of some of the issues, my advice is to wait for a few days to see if there are problems in the patch itself, test your application and patch as soon as possible.

I’d love to hear from DBAs out there, how soon are you deploying this CPU?