Oracle just released the Oracle CPU (and PSU) for April 2010. As mentioned in a previous blog post this CPU contains 7 new security vulnerabilities. 7 new security vulnerability fixes. None of these vulnerabilities are remote exploitable without authentication.
The highest CVSS base score for the Oracle database is 7.5 (Oracle Fusion Middleware). It seems that the Java 0day from David Litchfield is also fixed. But I have to download the Oracle patches to verify that all bugs are fixed.
The following components are affected:
Change Data Capture
This time all Oracle vulnerabilities are coming from the usual suspects:
Okan Basegmez of DORASEC Consulting; Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red Database Security; David Litchfield formerly of NGS Software; Oleg P. of HSC Security Portal; and Alexandr Polyakov of Digital Security.
Oracle has fixed a problem (CVE-2010-0854) I reported in January 2009. It is possible to bypass Oracle Auditing using explain plan. Within the next few days I will release an advisory for this problem.