Revealing the details of the security fixes through a pre-release announcement, Oracle said that four out of the 128 patches are meant for vulnerabilities in its Oracle Database Server which can be exploited remotely without any authentication. The vulnerabilities don’t affect environments which have client-only installations as the vulnerabilities are present in the database server.
Further, 29 fixes are meant for Oracle Fusion Middleware components like the Oracle HTTP Server, COREid Access, JRockit, WebCenter, and WebLogic. 22 vulnerabilities are such that they can be exploited remotely and that too without authentication – exploitation possible over a network without the need for a username and password.
Vulnerabilities in the Database Server and in the Middleware components have a CVSS rating of 10.0.
Next up, Oracle E-Business Suite, Oracle Supply Chain Products Suite and Oracle PeopleSoft Products contain 6, 3 and 11 security fixes respectively. There are quite a few other fixes destined for various Sun-branded products as well as Oracle’s financial software and they will be released alongside the updates described above.
The update set releasing today has higher number of fixes as compared to the one announced in January that contained 86 fixes. The ‘critical’ classification indicates that the vulnerabilities fixed through the patches are high-impact and that the products need to be patched “as soon as possible,” to deter successful attacks.