Oracle plans to issue a massive security update Tuesday that addresses 113 vulnerabilities.
Twenty of the security fixes are aimed at Oracle Java SE. All of these bugs can be exploited remotely without authentication. According to Oracle, the Java SE components fixed in the update affect Java SE and JRockit. The highest CVSS Base Score of the vulnerabilities is 10 – the highest criticality score available.
The update also contains 29 new security fixes for Oracle Fusion Middleware. Twenty-seven of the vulnerabilities are remotely exploitable over a network without the need for a username and password. The highest CVSS Base Score of vulnerabilities affecting Oracle Fusion Middleware is 7.5. The vulnerabilities are in: BI Publisher, GlassFish Communications Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle HTTP Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle JDeveloper, Traffic Director, WebCenter Portal and WebLogic Server.
Other vulnerabilities set to be addressed affect the following products: Oracle Database Server (5); Oracle Hyperion (7); Oracle Enterprise Grid Manager (1); Oracle E-Business Suite (5); Supply Chain Products Suite (3); PeopleSoft (5); Siebel CRM (6); Oracle Communications Messaging Server (1); Oracle Retail Applications (3); Oracle Virtualization (15); Oracle and Sun Systems Products Suite (3); and MySQL (10).
“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle stated in the advisory.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” according to the company. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
“Oracle Database server may only have five vulnerabilities being resolved, but one or more of those have a CVSS base score of 9.0,” said Chris Goettl, program product manager for Shavlik Technologies. “Several other products like Fusion, Virtualization and Retail Applications have CVSS base scores of 7.5 and the rest start to fall steadily from there, but one fairly common theme is they are remotely executable without the need for authentication. Companies running a lot of Oracle software should take some time on Tuesday and review what solutions they have and where they are to see if immediate action is necessary. Again, for Java, the urgency is going to be far greater. If you don’t have a breaking dependency on a specific version it would be a good idea to rollout these updates as soon as you can.”