Oracle preps 128 security patches; Java gets 42

Fixes are coming today for "hundreds" of Oracle products, following a series of high-profile corporate hacks pegged to a zero-day vulnerability in Java.

Zack Whittaker
Zack Whittaker Writer-editor
Zack Whittaker is a former security editor for CNET's sister site ZDNet.
2 min read

Oracle will release today 128 fixes for security vulnerabilities that affect "hundreds" of its products.

The software giant and Java maker said in a pre-release announcement today that four of the patches include fixes for Oracle's flagship database product, which can be exploited remotely without the need for a username or password.

Also, 29 security fixes will arrive for Oracle Fusion Middleware, with 22 of these also for preventing attacks without the need for authentication.

Affected components include Oracle HTTP Server, JRockit, WebCenter, and WebLogic.

Both Oracle products have a common vulnerability scoring system (CVSS) rating of 10, described as the most severe vulnerability.

Oracle E-Business Suite contains six security fixes, Oracle Supply Chain Products Suite has three security fixes, and Oracle PeopleSoft Products contains 11 security fixes.

Dozens more fixes for various Sun-branded products and Oracle financial software will arrive later today when Oracle releases the patches over the usual update channels.

The "critical" patch update contains more security fixes than the release in January, which contained 86 fixes. The high impact nature of these updates mean that the affected Oracle products must be patched "as soon as possible," as a result of the "threat posed by a successful attack."

Patches for Java
The Web plug-in Java, developed by Oracle, will also receive a number of updates, including 42 security patches.

Out of the total number, only three vulnerabilities relate to issues that are not remotely exploitable issues, meaning the software can be attacked over a network without the need for a username or password.

Affected Java software includes Java 5 (Update 41) and earlier, Java 6 (Update 43) and earlier, and Java 7 (Update 17) and earlier. JavaFX 2.2.7 and earlier versions are also affected.

Under Oracle's own CVSS rating system, some flaws rate as important though not critical, while some reach the highest rating of 10.

It comes only a few months after Java software was pinpointed by a number of major technology companies as being the root cause of a series of successful corporate hacking attacks.

Facebook, Apple, Twitter, and NBC, as well as a number of others, all suffered as a result of a zero-day vulnerability in Java that led to hackers infiltrating internal networks in February.

Facebook confirmed that its internal network breach was a result of a zero-day exploit in the Java plug-in, as did Apple in a statement in mid-February. Law-enforcement agencies were informed in both cases.

Others came forward after initial reports suggested that Chinese hackers were behind the attacks, following reports of intrusions by The New York Times and other newspapers.

A "watering hole" technique was user by hackers attacking a popular iPhone and iPad development site that infected Java-running Apple MacBook machines. The site, riddled with malware that was injected into the Web site's code, used an exploit in the Java Web plug-in to gain access to employee laptops.

This story originally posted as "Oracle to release 128 security patches, hundreds of products affected" on ZDNet.