Oracle has released fixes for 33 security flaws that affect hundreds of products across its range.
In its security advisory, published alongside the patches on Tuesday, the software maker gave two of the vulnerabilities its highest possible severity rating.
"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products," Oracle said in a statement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible."
Under the Common Vulnerability Scoring System (CVSS) used by Oracle, two of the bugs — those affecting the JRockit and Secure Backup HTTP components — received a severity score of 10, the highest available. Both of the flaws are remotely exploitable, do not require authentication and could allow an attacker to take control of a system, Oracle said.
The JRockit fix is included in a patch for the BEA Product Suite, while the patch for Secure Backup HTTP is included in a fix for the Secure Backup product.
A flaw in the network foundation layer component, which establishes and maintains network connections, received a CVSS score of 9, for the Windows version of the software. Authentication is needed to exploit the bug, but a successful attack could result in complete control of a database, Oracle said. The network foundation layer fix is included in a patch for the Oracle Database product.
Overall, the update includes 10 fixes for Oracle's database software, of which three can be exploited remotely without authentication, Oracle said.
Other patches include two for Oracle Secure Backup; two for the Oracle Application Server; five for Oracle Applications; two for Oracle Enterprise Manager; three for the Oracle PeopleSoft and JDEdwards Suite; one for the Oracle Siebel Suite; and five for the Oracle BEA Products Suite. Full details of the bugs are available from Oracle.
Oracle's update arrived on the same day as patches from Microsoft fixing critical vulnerabilities in DirectShow and Video ActiveX that had been targeted in attacks, as well as holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of a system. Oracle's next quarterly security update is due on 13 October.