Oracle’s Critical Patch Update for January fixes 167 issues found in 48 of the company’s products.
The patches will become available Tuesday and the most severe of the problems received the maximum score of 10, as per the second version of the Common Vulnerability Scoring System (CVSS).
Eleven of the bugs fixed in this update ended up reported by database security expert David Litchfield.
In a tweet Monday he said he found one of the bugs while checking the systems of a client. At first, he believed that a compromise had occurred and the attacker left a backdoor.
On closer inspection, Litchfield discovered the backdoor was from Oracle, part of a seeded installation of the eBusiness Suite. It allowed admin privileges to regular users, meaning with sufficient knowledge anyone could gain access to the databases.
According to the pre-release, one of the products affected by such a severe vulnerability is Java Standard Edition (SE).
In total, the program will receive 19 repairs, with 14 of them being significant because they present the risk of remote exploitation.
The developer said these would allow a potential attacker to take advantage of them without having to provide a username and a password for authentication purposes.
Other Java components included on the list of repairs are Java SE Embedded and JRockit.
The product that received the most attention is Oracle Fusion Middleware, which picked up 35 new security patches, most of them (28) for vulnerabilities exploited remotely, without authentication of the potential attacker.
Next in line is Oracle Sun Systems Products Suite, which has 29 security improvements for components like Fujitsu M10-1, M10-4S Servers, M9000 Servers, Solaris, Solaris Cluster and SPARC Enterprise M3000.
Ten of the weaknesses allow remote exploitation without authentication. The most significant flaw received the maximum score of 10.
The company advises users to apply the fixes in the Critical Patch Update with the utmost urgency in order to avoid the risk of an attack.
The Critical Patch Update comes out by Oracle on a quarterly basis; this year it is on tap for January 20, April 14, July 14, and October 20.