Oracle to patch Java, other products Tuesday

Oracle to patch Java, other products Tuesday

Summary: 47 Oracle products to be patched on Patch Tuesday, with a total of 147 vulnerability fixes, 85 of them for flaws which are remotely-exploitable without authentication.

TOPICS: Security, Oracle

As is their custom, Oracle will be releasing their January 2014 quarterly patches on Patch Tuesday, the same day as Microsoft.

This group of updates affects 47 products. There are a total of 147 vulnerability fixes; some of the vulnerabilities affect multiple products, so the total number of vulnerabilities addressed is less than 147, but not specified. On Tuesday we will likely have that number when the actual CVE numbers are released.

47 of the fixes are for vulnerabilities which can be exploited remotely without authentication, a measure of extreme severity and an indicator that the fix should be applied as soon as possible, as Oracle advises.

36 of the fixes will be for Java 7 SE products, 34 of them exploitable remotely without authentication.

For each product family, Oracle provides the highest CVSS Base Score of vulnerabilities affecting the products being updated. CVSS is the Common Vulnerability Scoring System, maintained by the Department of Homeland Security National Cyber Security Division and NIST (the National Institite of Standards and Technology). Scores range from 0.1 to 10.0, with 10.0 being as bad as it gets. Oracle explains their use of CVSS scoring on this page.

This list below contains all the products, including versions, affected in Tuesday's updates. The table below that includes the number of vulnerabilities addressed for each product family, the number which are remotely exploitable without authentication, and the maximum CVSS score for vulnerabilities addressed in that family.

  • Oracle Database 11g Release 1, version
  • Oracle Database 11g Release 2, versions,
  • Oracle Database 12c Release 1, version
  • Oracle Fusion Middleware 11g Release 1, versions,
  • Oracle Fusion Middleware 11g Release 2, versions,
  • Oracle Fusion Middleware 12c Release 2, version 12.1.2
  • Oracle Containers for J2EE, version
  • Oracle Enterprise Data Quality, versions 8.1, 9.0.8
  • Oracle Forms and Reports 11g, Release 2, version
  • Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
  • Oracle HTTP Server 11g, versions,
  • Oracle HTTP Server 12c, version 12.1.2
  • Oracle Identity Manager, versions,,,
  • Oracle Internet Directory, versions,
  • Oracle iPlanet Web Proxy Server, version 4.0
  • Oracle iPlanet Web Server, versions 6.1, 7.0
  • Oracle Outside In Technology, versions 8.4.0, 8.4.1
  • Oracle Portal, version
  • Oracle Reports Developer, versions,,
  • Oracle Traffic Director, versions,
  • Oracle WebCenter Portal versions,,
  • Oracle WebCenter Sites versions,
  • Hyperion Essbase Administration Services, versions,,
  • Hyperion Strategic Finance, versions,
  • Oracle E-Business Suite Release 11i, version
  • Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
  • Oracle AutoVue Electro-Mechanical Professional, versions 20.1.1, 20.2.2
  • Oracle Demantra Demand Management, versions 7.3.1, 12.2.1, 12.2.2, 12.2.3
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
  • Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
  • Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
  • Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
  • Oracle Siebel Core, versions 8.1.1, 8.2.2
  • Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
  • Oracle iLearning, version 6.0
  • Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1,, 3.0, 12.0.1, 12.0.2
  • Oracle JavaFX, versions 2.2.45 and earlier
  • Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
  • Oracle Java SE Embedded, versions 7u45 and earlier
  • Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
  • Oracle Solaris versions 8, 9, 10, 11.1
  • Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
  • Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
  • Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
  • Oracle MySQL Server, versions 5.1, 5.5, 5.6
Product Family


Components Affected

Total # Vulnerabilities # remotely exploitable without authentication Maximum CSS Base Score
Oracle Database Server




5 1 5.0
Oracle Fusion Middleware


Oracle Containers for J2EE

Oracle Enterprise Data Quality

Oracle GlassFish Server

Oracle HTTP Server

Oracle Identity Manager

Oracle Internet Directory

Oracle iPlanet Web Proxy Server

Oracle iPlanet Web Server

Oracle Outside In Technology

Oracle Portal

Oracle Reports Developer

Oracle Traffic Director

Oracle WebCenter Portal

Oracle WebCenter Sites

25 22 10.0
Oracle Hyperion


Hyperion Essbase Administration Services

Hyperion Strategic Finance

2 0 7.1
Oracle E-Business Suite


Oracle Application Object Library

Oracle Applications Framework

Oracle Payroll

4 1 5.5
Oracle Supply Chain Products Suite


Oracle Agile Product Lifecycle Management for Process

Oracle AutoVue Electro-Mechanical Professional

Oracle Demantra Demand Management

Oracle Transportation Management

16 6 5.5
Oracle PeopleSoft Products


PeopleSoft Enterprise HRMS

PeopleSoft Enterprise HRMS Human Resources

PeopleSoft Enterprise PeopleTools

PeopleSoft Enterprise SCM Services Procurement

17 10 5.0
Oracle Siebel CRM


Siebel Core - EAI

Siebel Life Sciences

2 1 5.0
Oracle iLearning


Oracle iLearning

1 1 4.3
Oracle Financial Services Software Executive Summary


Oracle FLEXCUBE Private Banking

1 1 10.0
Java SE


Java SE

Java SE Embedded



36 34 10.0
Oracle and Sun Systems Products Suite



11 1 7.2
Oracle Virtualization


Oracle Secure Global Desktop (SGD)

Oracle VM VirtualBox

9 4 6.8
Oracle MySQL


MySQL Enterprise Monitor

MySQL Server

18 3 10.0

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Enough already!

    This Java thing is getting tiresome.
    And people bash Microsoft's Windows and related software?
    I just got a new laptop, and I *did not* install Java.
    So far so good.
    P.S. Constant Java updates on the computers I support are becoming a PAIN as well.
    • @radu.m .. you're talking

      as if Java is an essential utility to include on a Windows system. That you actually didn't decide to install Java (or more accurately the JRE), is something you should've been doing all along.

      I've not installed Oracle (or Sun's) JRE's for years .. and don't ever plan to again.

      Take some free advice: unless you're a Java-based, s/w dev', there's no earthly reason to install *anything* Java on your Windows-based system.
    • Well

      People do bash Windows for updates. Some people bash Oracle and Apple for updates. I could bash Canonical because I had to dismiss two reminders about 13.10 before I could get to the work I wanted to do.

      Guess what? Someone else's updating frequency has nothing to do with whether a party is updating too frequently or not.

      Too frequently is also subjective. If Windows has a problem, I would like it fixed. If OS X has a problem, I would like it fixed. I use java — not in the browser — and I would it like it fixed because I know it has problems, and switching to another platform would require hours of work to rewrite and debug the java tools as I port them.

      As to you, if you don't need java, don't use it and you will find yourself as unconcerned with updates as I am regarding Ruby on Rails. (Not a knock on RoR, I had a good workflow and stable tools already in place before I noticed RoR.)

      If the computers you support need java, then, sorry fella, the job is going to be unfun.

      If it was fun all the time, they wouldn't pay us. I have one recommendation: the serenity prayer.
  • Mate, you need some cheese to go with your whine

    Dost thou whine also about Microsoft/Apple/Adobe/Other patches?

    Or mayhaps thou art a whiner selective?
    • JRE gets more patches than an OS

      Isn't that sad?
      Michael Alan Goff
  • jre is crap

    and needs to be killed off.
  • Time should be the essence, but it never was.

    Another reason to give-up on Java; Quarterly Patches. Too little, too late.