Quarterly patches will end up releasing more than a monthly cycle, but even by those standards Oracle released a large amount of fixes this time around.
The company launched 127 security fixes for its products, including 51 patches for Java, as part of its quarterly critical patch update (CPU).
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the company said. Vulnerabilities detailed in the security bulletin affect all versions of Java (versions 5, 6 and 7), as well as Oracle Database 11g and 12c, Fusion Middleware, Enterprise Manager, E-Business Suite, Flexcube Products Suite, Oracle’s Health Sciences and Retail Products suites, Primavera, PeopleSoft, Siebel and MySQL.
While Oracle’s critical patch update fixes only recent versions of many of those programs, the company said older, unsupported versions may have the same bugs. “It is likely that earlier versions of affected releases are also affected by these vulnerabilities,” Oracle said. “As a result, customers are recommended to upgrade to supported versions.”
Of the 51 Java patches, 50 involve remotely exploitable vulnerabilities, and an equal number of flaws affect Java applets or Java WebStart, which allows Java apps to run from the browser. Twelve of the Java bugs score a “10” on the CVSSv2 vulnerability index, meaning they can suffer a remote exploitation.
The Java vulnerabilities affect client-side and server-side Java. Java 7 update 45 is now the latest version of the software.
For those still using Java 6 — or any prior version — the security advice is to upgrade immediately, or else take steps to safeguard the machine, especially since related attacks will no doubt start soon. Java 6 is also vulnerable to 11 of the 12 highly critical vulnerabilities, but there are no more public patches for Java 6, officials said. The recommended action for Java 6 is to upgrade to Java 7.