Oracle has fixes for 78 security vulnerabilities slated for next week as part of its first critical update of the year.
The patches are expected to touch the Oracle Database Server, Fusion Middleware, E-Business suite, Supply Chain, PeopleSoft, JD Edwards, Virtualization, Sun and MySQL products. The most serious of the vulnerabilities is a security issue affecting the company’s Sun product suite, and has a CVSS (Common Vulnerability Scoring System) 2.0 rating of 7.8.
As usual, details of the actual vulnerabilities were scarce in Oracle’s pre-release announcement. However, the company noted that the Sun suite components addressed by the update are GlassFish Enterprise Server, Oracle Communications Unified, Oracle OpenSSO and Solaris. All totaled, the suite is home to 17 of the vulnerabilities set to be fixed in the update. Six of these can be exploited remotely without authentication.
The product with the largest number of vulnerabilities expected to be addressed by the update is MySQL. According to Oracle, 27 of the vulnerabilities reside in MySQL Server, including one that can be exploited over a network without the need of a username or password. The Oracle Database Server contains just two vulnerabilities being addressed by the update. Also included in the update are fixes for 11 vulnerabilities in Oracle Fusion Middleware, three in the Oracle E-Business Suite, eight for JD Edwards products, six in PeopleSoft products, three in Oracle Virtualization software and one in the Oracle Supply Chain products suite.
The update is scheduled to be available Tuesday, January 17.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” Oracle noted in its pre-update advisory. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”