Oracle to release 128 security patches, hundreds of products affected

The software technology giant will release today fixes for "hundreds" of its products, including Java, that led to high profile corporate hacking earlier this year.
Written by Zack Whittaker, Contributor on

Oracle will later on Tuesday release 128 fixes for security vulnerabilities that affect "hundreds" of its products.

Image: James Martin/CNET

The technology giant and Java software maker said in a pre-release announcement today that four of the patches include fixes for Oracle's flagship database product, which can be exploited remotely without the need for a username or password.

Also, 29 security fixes will arrive for Oracle Fusion Middleware, with 22 of these also allowing attacks without the need for authentication.

Affected components include Oracle HTTP Server, JRockit, WebCenter and WebLogic.

Both Oracle products have a common vulnerability scoring system (CVSS) rating of 10, described as the most severe vulnerability.

Oracle E-Business Suite contains six new security fixes, Oracle Supply Chain Products Suite has three new security fixes, and Oracle PeopleSoft Products contains 11 new security fixes.

Dozens more fixes for various Sun-branded products and Oracle financial software will arrive later on Tuesday when Oracle releases the patches over the usual update channels.

The "critical" patch update contains dozens more security fixes than the release in January, which contained 86 fixes. The high impact nature of these updates mean that the affected Oracle products must be patched "as soon as possible," as a result of the "threat posed by a successful attack."

Java updates on deck

The Web plugin Java, developed by Oracle, will also receive a number of updates, including 42 security patches.

Out of the total number, only three vulnerabilities relate to issues that are not remotely exploitable issues, meaning the software can be attacked over a network without the need for a username or password.

Affected Java software includes Java 5 (Update 41) and earlier, Java 6 (Update 43) and earlier, and Java 7 (Update 17) and earlier. JavaFX 2.2.7 and earlier versions are also affected.

Under Oracle's own CVSS rating system, some flaws rate as important though not critical, while some rate at the highest rating of 10.

It comes only a few months after Java software was pinpointed by a number of major technology companies as being the root cause of a series of successful corporate hacking attacks.

Facebook, Apple, Twitter, and news agency NBC, as well as a number of others, all suffered as a result of a zero-day vulnerability in Java that led to hackers infiltrating both of the companies' internal networks in February.

Facebook confirmed that its internal network breach was a result of a zero-day exploit in the Java plugin, as did Apple in a statement in mid-February. Law-enforcement agencies were informed in both cases.

Others came forward after initial reports suggested that Chinese hackers were behind the attacks, following reports of intrusions by The New York Times and other high profile newspapers.

The companies said there was "no evidence" to suggest that company or private user data had been stolen, the companies said in separate statements.

A "watering hole" technique was user by hackers attacking a popular iPhone and iPad development site that infected Java-running Apple MacBook machines. The site, riddled with malware that was injected into the website's code, used an exploit in the Java Web plugin to gain access to the employee laptops.

Editorial standards