As is their custom, Oracle will be releasing their January 2014 quarterly patches on Patch Tuesday, the same day as Microsoft.
This group of updates affects 47 products. There are a total of 147 vulnerability fixes; some of the vulnerabilities affect multiple products, so the total number of vulnerabilities addressed is less than 147, but not specified. On Tuesday we will likely have that number when the actual CVE numbers are released.
47 of the fixes are for vulnerabilities which can be exploited remotely without authentication, a measure of extreme severity and an indicator that the fix should be applied as soon as possible, as Oracle advises.
36 of the fixes will be for Java 7 SE products, 34 of them exploitable remotely without authentication.
For each product family, Oracle provides the highest CVSS Base Score of vulnerabilities affecting the products being updated. CVSS is the Common Vulnerability Scoring System, maintained by the Department of Homeland Security National Cyber Security Division and NIST (the National Institite of Standards and Technology). Scores range from 0.1 to 10.0, with 10.0 being as bad as it gets. Oracle explains their use of CVSS scoring on this page.
This list below contains all the products, including versions, affected in Tuesday's updates. The table below that includes the number of vulnerabilities addressed for each product family, the number which are remotely exploitable without authentication, and the maximum CVSS score for vulnerabilities addressed in that family.
- Oracle Database 11g Release 1, version 11.1.0.7
- Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
- Oracle Database 12c Release 1, version 12.1.0.1
- Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
- Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1
- Oracle Fusion Middleware 12c Release 2, version 12.1.2
- Oracle Containers for J2EE, version 10.1.3.5
- Oracle Enterprise Data Quality, versions 8.1, 9.0.8
- Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
- Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
- Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7
- Oracle HTTP Server 12c, version 12.1.2
- Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
- Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7
- Oracle iPlanet Web Proxy Server, version 4.0
- Oracle iPlanet Web Server, versions 6.1, 7.0
- Oracle Outside In Technology, versions 8.4.0, 8.4.1
- Oracle Portal, version 11.1.1.6
- Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1
- Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7
- Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
- Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0
- Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3
- Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2
- Oracle E-Business Suite Release 11i, version 11.5.10.2
- Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
- Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
- Oracle AutoVue Electro-Mechanical Professional, versions 20.1.1, 20.2.2
- Oracle Demantra Demand Management, versions 7.3.1, 12.2.1, 12.2.2, 12.2.3
- Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
- Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
- Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
- Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
- Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
- Oracle Siebel Core, versions 8.1.1, 8.2.2
- Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
- Oracle iLearning, version 6.0
- Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
- Oracle JavaFX, versions 2.2.45 and earlier
- Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
- Oracle Java SE Embedded, versions 7u45 and earlier
- Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
- Oracle Solaris versions 8, 9, 10, 11.1
- Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
- Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
- Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
- Oracle MySQL Server, versions 5.1, 5.5, 5.6
| Product Family
Components Affected | Total # Vulnerabilities | # remotely exploitable without authentication | Maximum CSS Base Score |
| Oracle Database Server
Core RDBMS Spatial | 5 | 1 | 5.0 |
| Oracle Fusion Middleware
Oracle Containers for J2EE Oracle Enterprise Data Quality Oracle GlassFish Server Oracle HTTP Server Oracle Identity Manager Oracle Internet Directory Oracle iPlanet Web Proxy Server Oracle iPlanet Web Server Oracle Outside In Technology Oracle Portal Oracle Reports Developer Oracle Traffic Director Oracle WebCenter Portal Oracle WebCenter Sites | 25 | 22 | 10.0 |
| Oracle Hyperion
Hyperion Essbase Administration Services Hyperion Strategic Finance | 2 | 0 | 7.1 |
| Oracle E-Business Suite
Oracle Application Object Library Oracle Applications Framework Oracle Payroll | 4 | 1 | 5.5 |
| Oracle Supply Chain Products Suite
Oracle Agile Product Lifecycle Management for Process Oracle AutoVue Electro-Mechanical Professional Oracle Demantra Demand Management Oracle Transportation Management | 16 | 6 | 5.5 |
| Oracle PeopleSoft Products
PeopleSoft Enterprise HRMS PeopleSoft Enterprise HRMS Human Resources PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise SCM Services Procurement | 17 | 10 | 5.0 |
| Oracle Siebel CRM
Siebel Core - EAI Siebel Life Sciences | 2 | 1 | 5.0 |
| Oracle iLearning
Oracle iLearning | 1 | 1 | 4.3 |
| Oracle Financial Services Software Executive Summary
Oracle FLEXCUBE Private Banking | 1 | 1 | 10.0 |
| Java SE
Java SE Java SE Embedded JavaFX JRockit | 36 | 34 | 10.0 |
| Oracle and Sun Systems Products Suite
Solaris | 11 | 1 | 7.2 |
| Oracle Virtualization
Oracle Secure Global Desktop (SGD) Oracle VM VirtualBox | 9 | 4 | 6.8 |
| Oracle MySQL
MySQL Enterprise Monitor MySQL Server | 18 | 3 | 10.0 |