Oracle issues critical patch update: 104 security fixes

Oracle issues critical patch update: 104 security fixes

Summary: In a massive critical patch update, Oracle has fixed 104 security flaws within its products. Unsurprisingly, Java is at the top of the list.

TOPICS: Security, Oracle
Screen Shot 2014-04-16 at 10.20.21

Oracle has released a swathe of security updates culminating in a massive 104 new security fixes for products including Java, Fusion Middleware, and MySQL.

The California-based firm's latest critical patch update (CPU) includes 37 Java SE vulnerabilities, four of which were deemed critical after receiving a CVSS Base Score of 10. Out of these security flaws, 29 affected client-only deployments, while six affected both client and server deployments of Java. One affects the Javadoc tool and one affects unpack200. CVE-2014-2398 can be exploited remotely and so updates should not be stalled in order to keep your system safe.

The CPU also provides 20 Fusion Middleware vulnerability fixes. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5, which is fairly severe in Oracle's measurements. Each one can be exploited using HTTP, and 13 can be exploited remotely without authorization.

MySQL version 5.5 and 5.6 have received patch updates, and only one, CVE-2014-2431, is exploitable remotely. However, there are 14 security vulnerabilities in total for this software.

Two fixes were issued for Oracle's flagship software, the Oracle Database, and both security flaws would need credentials before systems could be exploited remotely.

Other product lines affected by the latest CPU include Hyperion, Supply Chain Product Suite, PeopleSoft Enterprise, Sun Systems Products Suite and Oracle Linux and Virtualization. Due to the severity of this update, it is recommended that you apply the patch immediately.

The next CPU date is 15 July this year.

The full list of affected software is below:

Screen Shot 2014-04-16 at 10.38.52
Screen Shot 2014-04-16 at 10.39.08

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Take a look at SAPs CVEs this month

    There are quite a few of those too.
    Alan Smithie
    • in the misery loves company dept.

      Yeah, they are just as bad or worse than me... doesn't really make me any better.

      Could we have a little more timeliness ... rather than the mass dump of fixes all at once we've been vulnerable to for ... months
  • proprietary sw is not secure

    more reasons to use only secure FOSS and avoid M$, oracle & Crapple
    LlNUX Geek
    • all while FOSS is left with unmitigated vulnerabilities for years

      Open for hackers to exploit. Many eyes are clearly blind and cannot be trusted.
    • ummm

      on word... Heartbleed.
    • *cough* OPEN SSL *cough* *cough*
    • Wow

      I had no idea that Linux did not run Java runtime. /s
      Rann Xeroxx
  • Really.

    It's exactly what we've been complaining about with the FOSS kool-aid since it first came up as a "security feature". It makes the hackers' jobs easier, too. So if "the community" doesn't look at the code and find and fix it, it gets exploited.

    WORSE, frequently, white hats have to build an exploit and threaten to release it for updates to be expedited instead of "we'll get to it in the next major release".
  • Misleading

    The title and summary caught my interest, thinking that Oracle found/patched 104 vulnerabilities in their DB...when it's 104 vulnerabilities spread across all their products.
    • Not misleading

      Your assumptions tripped you up. Oracle is obviously more than a database.