14 DAY TRIAL // For the Critical Patch Update that is delivered on a quarterly basis, Oracle prepared fixes for a total of 155 security glitches affecting 44 of its products.
The company posted a pre-release announcement designed to inform system administrators of the programs that would be patched this Tuesday so that they can prepare for a quicker adoption of the new versions.
Highest CVSS score for Java vulnerability is 10
Java SE is also present on the list, and it is scheduled to receive no less than 25 fixes, most of them having the potential of being remotely exploited.
The risk is particularly high because the developer says that an attacker would not need to authenticate in order to leverage them.
According to the pre-release report, out of all vulnerabilities addressed in this set of updates, Java recorded the highest base score of 10 as per the Common Vulnerabilities Scoring System 2.0. According to Oracle, the high-severity flaws affect Java SE Embedded and Java SE.
Other Java components that will be repaired include JavaFX and Jrocit.
Remote exploitation risk available in other products
In the case of the Database Server, the most critical flaw has a CVSS score of 9, and although 32 security fixes are delivered, only one would allow a potential attacker to remotely execute arbitrary code on the affected machine without having to provide a username and a password.
The components listed for patching include Application Express, Core RDBMS, Java VM, JDBC, Jpublisher, PL/SQL and SQLJ.
The developer informs that different editions of the product are impacted: Oracle Database 11g Release 1 and 2, as well as Oracle Database 12c Release 1.
Another Oracle solution that permits remote exploitation to an attacker is Fusion Middleware. The new set of patches plugs 13 such bugs. All in all, users are to receive a total of 17 fixes.
Compared to the other two products, the most severe flaw impacting Fusion Middleware has a lower CVSS base score, of 7.5.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” the company warns.
In late September, Oracle released out-of-date updates for some of its products affected by the Shellshock bug. Initially, 32 out of 35 were vulnerable to attacks, but the company continued to work on the necessary patches, making available a fix for 18 of them.
However, new products have been found to be sensitive to Shellshock, and at the moment, the list has grown to 39.