Oracle to patch Java, other products Tuesday

47 Oracle products to be patched on Patch Tuesday, with a total of 147 vulnerability fixes, 85 of them for flaws which are remotely-exploitable without authentication.
Written by Larry Seltzer, Contributor

As is their custom, Oracle will be releasing their January 2014 quarterly patches on Patch Tuesday, the same day as Microsoft.

This group of updates affects 47 products. There are a total of 147 vulnerability fixes; some of the vulnerabilities affect multiple products, so the total number of vulnerabilities addressed is less than 147, but not specified. On Tuesday we will likely have that number when the actual CVE numbers are released.

47 of the fixes are for vulnerabilities which can be exploited remotely without authentication, a measure of extreme severity and an indicator that the fix should be applied as soon as possible, as Oracle advises.

36 of the fixes will be for Java 7 SE products, 34 of them exploitable remotely without authentication.

For each product family, Oracle provides the highest CVSS Base Score of vulnerabilities affecting the products being updated. CVSS is the Common Vulnerability Scoring System, maintained by the Department of Homeland Security National Cyber Security Division and NIST (the National Institite of Standards and Technology). Scores range from 0.1 to 10.0, with 10.0 being as bad as it gets. Oracle explains their use of CVSS scoring on this page.

This list below contains all the products, including versions, affected in Tuesday's updates. The table below that includes the number of vulnerabilities addressed for each product family, the number which are remotely exploitable without authentication, and the maximum CVSS score for vulnerabilities addressed in that family.

  • Oracle Database 11g Release 1, version
  • Oracle Database 11g Release 2, versions,
  • Oracle Database 12c Release 1, version
  • Oracle Fusion Middleware 11g Release 1, versions,
  • Oracle Fusion Middleware 11g Release 2, versions,
  • Oracle Fusion Middleware 12c Release 2, version 12.1.2
  • Oracle Containers for J2EE, version
  • Oracle Enterprise Data Quality, versions 8.1, 9.0.8
  • Oracle Forms and Reports 11g, Release 2, version
  • Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
  • Oracle HTTP Server 11g, versions,
  • Oracle HTTP Server 12c, version 12.1.2
  • Oracle Identity Manager, versions,,,
  • Oracle Internet Directory, versions,
  • Oracle iPlanet Web Proxy Server, version 4.0
  • Oracle iPlanet Web Server, versions 6.1, 7.0
  • Oracle Outside In Technology, versions 8.4.0, 8.4.1
  • Oracle Portal, version
  • Oracle Reports Developer, versions,,
  • Oracle Traffic Director, versions,
  • Oracle WebCenter Portal versions,,
  • Oracle WebCenter Sites versions,
  • Hyperion Essbase Administration Services, versions,,
  • Hyperion Strategic Finance, versions,
  • Oracle E-Business Suite Release 11i, version
  • Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
  • Oracle AutoVue Electro-Mechanical Professional, versions 20.1.1, 20.2.2
  • Oracle Demantra Demand Management, versions 7.3.1, 12.2.1, 12.2.2, 12.2.3
  • Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
  • Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
  • Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
  • Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
  • Oracle Siebel Core, versions 8.1.1, 8.2.2
  • Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
  • Oracle iLearning, version 6.0
  • Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1,, 3.0, 12.0.1, 12.0.2
  • Oracle JavaFX, versions 2.2.45 and earlier
  • Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
  • Oracle Java SE Embedded, versions 7u45 and earlier
  • Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
  • Oracle Solaris versions 8, 9, 10, 11.1
  • Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
  • Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
  • Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
  • Oracle MySQL Server, versions 5.1, 5.5, 5.6
Product Family


Components Affected

Total # Vulnerabilities # remotely exploitable without authentication Maximum CSS Base Score
Oracle Database Server




5 1 5.0
Oracle Fusion Middleware


Oracle Containers for J2EE

Oracle Enterprise Data Quality

Oracle GlassFish Server

Oracle HTTP Server

Oracle Identity Manager

Oracle Internet Directory

Oracle iPlanet Web Proxy Server

Oracle iPlanet Web Server

Oracle Outside In Technology

Oracle Portal

Oracle Reports Developer

Oracle Traffic Director

Oracle WebCenter Portal

Oracle WebCenter Sites

25 22 10.0
Oracle Hyperion


Hyperion Essbase Administration Services

Hyperion Strategic Finance

2 0 7.1
Oracle E-Business Suite


Oracle Application Object Library

Oracle Applications Framework

Oracle Payroll

4 1 5.5
Oracle Supply Chain Products Suite


Oracle Agile Product Lifecycle Management for Process

Oracle AutoVue Electro-Mechanical Professional

Oracle Demantra Demand Management

Oracle Transportation Management

16 6 5.5
Oracle PeopleSoft Products


PeopleSoft Enterprise HRMS

PeopleSoft Enterprise HRMS Human Resources

PeopleSoft Enterprise PeopleTools

PeopleSoft Enterprise SCM Services Procurement

17 10 5.0
Oracle Siebel CRM


Siebel Core - EAI

Siebel Life Sciences

2 1 5.0
Oracle iLearning


Oracle iLearning

1 1 4.3
Oracle Financial Services Software Executive Summary


Oracle FLEXCUBE Private Banking

1 1 10.0
Java SE


Java SE

Java SE Embedded



36 34 10.0
Oracle and Sun Systems Products Suite



11 1 7.2
Oracle Virtualization


Oracle Secure Global Desktop (SGD)

Oracle VM VirtualBox

9 4 6.8
Oracle MySQL


MySQL Enterprise Monitor

MySQL Server

18 3 10.0
Editorial standards