Security Experts:

Connect with us

Hi, what are you looking for?



Oracle Issues Massive Security Update With Critical Fixes for Java, Fusion Middleware

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Tucked inside the massive release are 36 fixes for Oracle Java SE, 34 of which can be exploited remotely without authentication. The highest CVSS Base Score of the Java vulnerabilities is a 10.0 – the highest possible overall vulnerability score. According to Oracle, the Java SE components affected by the vulnerabilities are: Java SE, Java SE Embedded, JavaFX and JRockit.

Oracle Security Patches“Java was one of the most attacked [software products] in 2013 and it will continue to be so due to its sluggish update record,” blogged Wolfgang Kandek, CTO of Qualys. “It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this latest version.”

The update also addresses 22 security issues for Oracle Fusion Middleware. Nineteen of these can be exploited remotely over the network without authentication. As is the case with Java, the highest CVSS Base Score in this group of vulnerabilities is a 10.0. The components affected by the vulnerabilities in the update include Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle WebCenter Portal.

The rest of the update includes five security fixes for the Oracle Database Server; four for Oracle E-Business Suite; 16 for the Oracle Supply Chain Products Suite; 17 for Oracle PeopleSoft; two for Oracle Siebel CRM, one for Oracle iLearning; 1 for Oracle Financial Services Software; 11 for Oracle and Sun Systems Product Suite; nine for Oracle Virtualization and 18 for Oracle MySQL.

“Large patch drops from Oracle each quarter are a death blow for security and IT teams,” said Lamar Bailey, director of security research and development for Tripwire. “Oracle products are embedded everywhere in enterprise critical infrastructure and setting up timely change control windows for all their products is next to impossible.”

He urged Oracle customers to focus on applying the Java patches.

“If you’re still using Java drop everything and start patching as fast as possible because exploitation of these vulnerabilities is imminent,” he said.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.