Oracle to release 128 security patches, hundreds of products affected

Oracle to release 128 security patches, hundreds of products affected

Summary: The software technology giant will release today fixes for "hundreds" of its products, including Java, that led to high profile corporate hacking earlier this year.

TOPICS: Security, Oracle

Oracle will later on Tuesday release 128 fixes for security vulnerabilities that affect "hundreds" of its products.

(Image: James Martin/CNET)

The technology giant and Java software maker said in a pre-release announcement today that four of the patches include fixes for Oracle's flagship database product, which can be exploited remotely without the need for a username or password.

Read this

How to disable Java in your browser on Windows, Mac

How to disable Java in your browser on Windows, Mac

Amid a serious security flaw in the latest version of Java 7, where even the U.S. Department of Homeland Security has warned users to disable the plug-in, here's how you do it.

Also, 29 security fixes will arrive for Oracle Fusion Middleware, with 22 of these also allowing attacks without the need for authentication.

Affected components include Oracle HTTP Server, JRockit, WebCenter and WebLogic.

Both Oracle products have a common vulnerability scoring system (CVSS) rating of 10, described as the most severe vulnerability.

Oracle E-Business Suite contains six new security fixes, Oracle Supply Chain Products Suite has three new security fixes, and Oracle PeopleSoft Products contains 11 new security fixes.

Dozens more fixes for various Sun-branded products and Oracle financial software will arrive later on Tuesday when Oracle releases the patches over the usual update channels.

The "critical" patch update contains dozens more security fixes than the release in January, which contained 86 fixes. The high impact nature of these updates mean that the affected Oracle products must be patched "as soon as possible," as a result of the "threat posed by a successful attack."

Java updates on deck

The Web plugin Java, developed by Oracle, will also receive a number of updates, including 42 security patches.

Out of the total number, only three vulnerabilities relate to issues that are not remotely exploitable issues, meaning the software can be attacked over a network without the need for a username or password.

Affected Java software includes Java 5 (Update 41) and earlier, Java 6 (Update 43) and earlier, and Java 7 (Update 17) and earlier. JavaFX 2.2.7 and earlier versions are also affected.

Under Oracle's own CVSS rating system, some flaws rate as important though not critical, while some rate at the highest rating of 10.

It comes only a few months after Java software was pinpointed by a number of major technology companies as being the root cause of a series of successful corporate hacking attacks.

Facebook, Apple, Twitter, and news agency NBC, as well as a number of others, all suffered as a result of a zero-day vulnerability in Java that led to hackers infiltrating both of the companies' internal networks in February.

Facebook confirmed that its internal network breach was a result of a zero-day exploit in the Java plugin, as did Apple in a statement in mid-February. Law-enforcement agencies were informed in both cases.

Others came forward after initial reports suggested that Chinese hackers were behind the attacks, following reports of intrusions by The New York Times and other high profile newspapers.

The companies said there was "no evidence" to suggest that company or private user data had been stolen, the companies said in separate statements.

A "watering hole" technique was user by hackers attacking a popular iPhone and iPad development site that infected Java-running Apple MacBook machines. The site, riddled with malware that was injected into the website's code, used an exploit in the Java Web plugin to gain access to the employee laptops.

Topics: Security, Oracle

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Oracle is the worst...

    Legendary poor support, poor integration, Java 7 is a mess, DB corruption is absurdly common, reliably connecting anything to an Oracle DB is an exercise in frustration.

    I've come to loathe the whole company over the last 15 years.
  • Java?

    Never, ever, NEVER again. Never.
  • No more Flash leadership?

    Adobe must be happy to have a competitor for its FlashBuggedplayer.
  • Why?

    Why do people still use this swiss cheese?
    Dreyer Smit
    • My guess

      I think they still use it because all of their in-house stuff was written with it in mind. It's unfortunate, but no program exists in a vacuum these days.
      Third of Five
  • Sorry got to let you go.

    I think Oracle need to hire some new software experts and they need to stop acting like a Cheap adware expert by taking not offering any 3 party downloads. It's cheap and stupid. Frankly I don't trust them.
  • Sorry got to let you go!

    Sorry got to let you go.

    I think Oracle need to hire some people that know software and they need to stop acting like a Cheap adware company by not offering any 3 party downloads. It's cheap and stupid. Frankly I don't trust them.
  • Why not go back to DOS?

    Always will be critics of every program ever made. Still use Java. Still use Flash. Still use Shockwave. Still use windows and still use Internet Explorer. NEVER had but a few MINOR problems since ANY of their conceptions over the years since DOS was the only thing in existence..

    There will always be hackers no matter WHAT system you have. You can stop using all the above mentioned and a slurry of just about any other program or system you want. In other words...go back to a screen of letters and numbers only if that is your taste.

    Your fear is not my fear. Your paranoia is not my paranoia. Your promoting of your favored system is not my promotion. Your bias is not my bias. And your "expertise" is not reliable.

    Therefore I will continue to use the systems and programs that I have always used and ignore your rants of shutting down Java, uninstalling flash, uninstalling shockwave, Getting a Mac, or using Fireflop.

    I prefer a system that is entertaining to use....and using it without fearing every click of the button I am going to get zapped. So problems except minor ones once in a while which are ALWAYS remedied.

    Get the updates and security fixes as they come out and use a good firewall and antivirus, with my system all security essentials... and enjoy the internet.

    Every time anything comes out bad about just about every OS or program you get these retorical ranters saying don't use it or uninstall it or change your system to mine! Guess what. NO I WILL NOT!
  • "Unbreakable"

    Larry Ellison couldn't be more wrong.
  • There are Oracle alternatives.....use them

    I got Oracle'd out a long time ago. There is a very funny, albeit inappropriate for children, youtube video title "Oracle Sucks" referring to their support.