Oracle to patch Java, other products Tuesday

Oracle to patch Java, other products Tuesday

Summary: 47 Oracle products to be patched on Patch Tuesday, with a total of 147 vulnerability fixes, 85 of them for flaws which are remotely-exploitable without authentication.

SHARE:
TOPICS: Security, Oracle
7

As is their custom, Oracle will be releasing their January 2014 quarterly patches on Patch Tuesday, the same day as Microsoft.

This group of updates affects 47 products. There are a total of 147 vulnerability fixes; some of the vulnerabilities affect multiple products, so the total number of vulnerabilities addressed is less than 147, but not specified. On Tuesday we will likely have that number when the actual CVE numbers are released.

47 of the fixes are for vulnerabilities which can be exploited remotely without authentication, a measure of extreme severity and an indicator that the fix should be applied as soon as possible, as Oracle advises.

36 of the fixes will be for Java 7 SE products, 34 of them exploitable remotely without authentication.

For each product family, Oracle provides the highest CVSS Base Score of vulnerabilities affecting the products being updated. CVSS is the Common Vulnerability Scoring System, maintained by the Department of Homeland Security National Cyber Security Division and NIST (the National Institite of Standards and Technology). Scores range from 0.1 to 10.0, with 10.0 being as bad as it gets. Oracle explains their use of CVSS scoring on this page.

This list below contains all the products, including versions, affected in Tuesday's updates. The table below that includes the number of vulnerabilities addressed for each product family, the number which are remotely exploitable without authentication, and the maximum CVSS score for vulnerabilities addressed in that family.

  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
  • Oracle Database 12c Release 1, version 12.1.0.1
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
  • Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1
  • Oracle Fusion Middleware 12c Release 2, version 12.1.2
  • Oracle Containers for J2EE, version 10.1.3.5
  • Oracle Enterprise Data Quality, versions 8.1, 9.0.8
  • Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
  • Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
  • Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7
  • Oracle HTTP Server 12c, version 12.1.2
  • Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
  • Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7
  • Oracle iPlanet Web Proxy Server, version 4.0
  • Oracle iPlanet Web Server, versions 6.1, 7.0
  • Oracle Outside In Technology, versions 8.4.0, 8.4.1
  • Oracle Portal, version 11.1.1.6
  • Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1
  • Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7
  • Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
  • Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0
  • Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3
  • Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
  • Oracle AutoVue Electro-Mechanical Professional, versions 20.1.1, 20.2.2
  • Oracle Demantra Demand Management, versions 7.3.1, 12.2.1, 12.2.2, 12.2.3
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
  • Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
  • Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
  • Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
  • Oracle Siebel Core, versions 8.1.1, 8.2.2
  • Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
  • Oracle iLearning, version 6.0
  • Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
  • Oracle JavaFX, versions 2.2.45 and earlier
  • Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
  • Oracle Java SE Embedded, versions 7u45 and earlier
  • Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
  • Oracle Solaris versions 8, 9, 10, 11.1
  • Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
  • Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
  • Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
  • Oracle MySQL Server, versions 5.1, 5.5, 5.6
Product Family

 

Components Affected

Total # Vulnerabilities # remotely exploitable without authentication Maximum CSS Base Score
Oracle Database Server

 

Core RDBMS

Spatial

5 1 5.0
Oracle Fusion Middleware

 

Oracle Containers for J2EE

Oracle Enterprise Data Quality

Oracle GlassFish Server

Oracle HTTP Server

Oracle Identity Manager

Oracle Internet Directory

Oracle iPlanet Web Proxy Server

Oracle iPlanet Web Server

Oracle Outside In Technology

Oracle Portal

Oracle Reports Developer

Oracle Traffic Director

Oracle WebCenter Portal

Oracle WebCenter Sites

25 22 10.0
Oracle Hyperion

 

Hyperion Essbase Administration Services

Hyperion Strategic Finance

2 0 7.1
Oracle E-Business Suite

 

Oracle Application Object Library

Oracle Applications Framework

Oracle Payroll

4 1 5.5
Oracle Supply Chain Products Suite

 

Oracle Agile Product Lifecycle Management for Process

Oracle AutoVue Electro-Mechanical Professional

Oracle Demantra Demand Management

Oracle Transportation Management

16 6 5.5
Oracle PeopleSoft Products

 

PeopleSoft Enterprise HRMS

PeopleSoft Enterprise HRMS Human Resources

PeopleSoft Enterprise PeopleTools

PeopleSoft Enterprise SCM Services Procurement

17 10 5.0
Oracle Siebel CRM

 

Siebel Core - EAI

Siebel Life Sciences

2 1 5.0
Oracle iLearning

 

Oracle iLearning

1 1 4.3
Oracle Financial Services Software Executive Summary

 

Oracle FLEXCUBE Private Banking

1 1 10.0
Java SE

 

Java SE

Java SE Embedded

JavaFX

JRockit

36 34 10.0
Oracle and Sun Systems Products Suite

 

Solaris

11 1 7.2
Oracle Virtualization

 

Oracle Secure Global Desktop (SGD)

Oracle VM VirtualBox

9 4 6.8
Oracle MySQL

 

MySQL Enterprise Monitor

MySQL Server

18 3 10.0

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Enough already!

    This Java thing is getting tiresome.
    And people bash Microsoft's Windows and related software?
    I just got a new laptop, and I *did not* install Java.
    So far so good.
    P.S. Constant Java updates on the computers I support are becoming a PAIN as well.
    radu.m
    • @radu.m .. you're talking

      as if Java is an essential utility to include on a Windows system. That you actually didn't decide to install Java (or more accurately the JRE), is something you should've been doing all along.

      I've not installed Oracle (or Sun's) JRE's for years .. and don't ever plan to again.

      Take some free advice: unless you're a Java-based, s/w dev', there's no earthly reason to install *anything* Java on your Windows-based system.
      thx-1138_
    • Well

      People do bash Windows for updates. Some people bash Oracle and Apple for updates. I could bash Canonical because I had to dismiss two reminders about 13.10 before I could get to the work I wanted to do.

      Guess what? Someone else's updating frequency has nothing to do with whether a party is updating too frequently or not.

      Too frequently is also subjective. If Windows has a problem, I would like it fixed. If OS X has a problem, I would like it fixed. I use java — not in the browser — and I would it like it fixed because I know it has problems, and switching to another platform would require hours of work to rewrite and debug the java tools as I port them.

      As to you, if you don't need java, don't use it and you will find yourself as unconcerned with updates as I am regarding Ruby on Rails. (Not a knock on RoR, I had a good workflow and stable tools already in place before I noticed RoR.)

      If the computers you support need java, then, sorry fella, the job is going to be unfun.

      If it was fun all the time, they wouldn't pay us. I have one recommendation: the serenity prayer.
      DannyO_0x98
  • Mate, you need some cheese to go with your whine

    Dost thou whine also about Microsoft/Apple/Adobe/Other patches?

    Or mayhaps thou art a whiner selective?
    ego.sum.stig
    • JRE gets more patches than an OS

      Isn't that sad?
      Michael Alan Goff
  • jre is crap

    and needs to be killed off.
    hoppmang
  • Time should be the essence, but it never was.

    Another reason to give-up on Java; Quarterly Patches. Too little, too late.
    JTONLY