Oracle just released a massive security update that covers 104 vulnerabilities across its product portfolio.
Thirty-seven of the vulnerabilities affect Oracle Java SE. According to Oracle’s advisory, 35 of these can be exploited remotely without authentication. Four of the bugs have a CVSS Base Score of 10, the most critical rating a bug can achieve.
“[Twenty-nine] of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE,” blogged Eric Maurice, Oracle software security assurance director. “Rounding up this count [was] one vulnerability affecting the Javadoc tool and one affecting unpack200. As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java. Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.”
“Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities,” he added.
While Java SE took the lion’s share of fixes, other issues in Fusion Middleware and MySQL were addressed as well, noted Amol Sarwate, director of Qualys’ Vulnerability Labs.
“All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication,” he blogged.
Fourteen security fixes are aimed at Oracle MySQL, including two that can be exploited remotely without authentication.
The update also includes: five fixes for Oracle Virtualization; three for Oracle and Sun Systems Products Suite; one in Oracle iLearning; one in Oracle Siebel CRM; eight in Oracle PeopleSoft products; 10 for the Oracle Supply Chain products suite; two for Oracle Database and three for Oracle Hyperion.
“Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update (CPU), Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible,” blogged Maurice.
The next CPU is scheduled to be released July 15. In light of the Heartbleed vulnerability, Oracle also recently released a list of affected products and mitigations.