Oracle fixed 128 vulnerabilities with its April 2013 Critical Patch Update (CPU).
The April 2013 CPU covers 13 product groups. Oracle’s Fusion product group has 29 vulnerabilities addressed, also with a top score of 10.
“Patch as quickly as possible,” said Wolfgang Kandek, CTO at Qualys. “One of the vulnerabilities is in the Oracle Outside-In product, used by Microsoft Exchange server. It is scored at 6.8, which means we will see an Exchange update in the near future.”
Oracle Solaris has 16 flaws with a top score of 6.4, with two vulnerabilities remotely exploitable, meaning that IT admins should focus on these two vulnerabilities as well in their patch priority list.
Oracle’s MySQL database, meanwhile, has 25 vulnerabilities addressed, with a maximum CVSS score of 6.9, a mid-level score that will give IT admins more time to react.
Other products updated include Peoplesoft, Supply-Chain, E-Business and CRM.
Outside of the CPU, Oracle published a new version of Java that addresses 42 distinct vulnerabilities, with 19 having a score of 10. This update also addresses the vulnerabilities found during the Pwn2Own competition at CanSecWest in Vancouver during March, where Java ended up exploited by three different security researchers.
Oracle also changed the alerts that come up when running a Java applet, introducing distinct states giving overall more information on the nature of the applet. The new versions are update 21 for Java v7 and update 45 for Java v6.