Oracle releases 167 critical security fixes for Java and Sun systems

[steven36]

Oracle has released a critical patch update fixing 167 vulnerabilities across hundreds of its products, warning that the worst of them could be remotely exploited by hackers.

The pressing fixes involve several of Oracle's most widely used products and scored a full 10.0 rating on the CVSS 2.0 Base Score for vulnerabilities, the highest score available.

"The highest CVSS 2.0 Base Score for vulnerabilities in this critical patch update is 10.0 for Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite and M10-4S Servers of Oracle Sun Systems Products Suite," read the advisory.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply critical patch update fixes as soon as possible."

Oracle warned that the updates for Fujitsu M10-1 of Oracle Sun Systems Products Suite are particularly important.

"This critical patch update contains 29 new security fixes for the Oracle Sun Systems Products Suite," the advisory said.

"Ten of these vulnerabilities may be remotely exploitable without authentication [and] may be exploited over a network without the need for a username and password."

The Oracle Java SE update fixes 19 flaws, 14 of which were also remotely exploitable.

The next most serious flaws relate to Oracle's Fusion Middleware, which received 35 security fixes. The worst carries a 9.3 rating and could also be remotely exploited.

The update follows reports that hackers are targeting enterprise companies with malware-laden patches purporting to come from Oracle.

The news comes during a period of heated debate about patching best practice. Microsoft announced plans on 9 January to stop offering non-paying customers advanced patch notifications.

The announcement led to a backlash in the security community, many feeling that the move is a money-grabbing tactic by Microsoft.

Prior to the move, Microsoft came to blows with Google over the search firm's public disclosure of a Windows bug.

Google Project Zero researchers publicly disclosed the bug in December 2014 having privately reported it to Microsoft in September. The move led to a debate about what constitutes responsible threat disclosure.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

• Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
• Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.2.1, 11.1.2.2, 12.1.2, 12.1.3
• Oracle Fusion Applications, versions 11.1.2 through 11.1.9
• Oracle Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
• Oracle Adaptive Access Manager, version(s) 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
• Oracle BI Publisher, version(s) 10.1.3.4.2, 11.1.1.7
• Oracle Business Intelligence Enterprise Edition, version(s) 10.1.3.4.2, 11.1.1.7
• Oracle Containers for J2EE, version(s) 10.1.3.5
• Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
• Oracle Exalogic Infrastructure, version(s) 2.0.6.2.0 (for all X2-2, X3-2, X4-2)
• Oracle Forms, version(s) 11.1.1.7, 11.1.2.2
• Oracle GlassFish Server, version(s) 3.0.1, 3.1.2
• Oracle HTTP Server, version(s) 10.1.3.5.0, 11.1.1.7.0, 12.1.2.0, 12.1.3.0
• Oracle OpenSSO, version(s) 8.0 Update 2 Patch 5
• Oracle Real-Time Decision Server, version(s) 11.1.1.7, RTD Platform 3.0.x
• Oracle Reports Developer, version(s) 11.1.1.7, 11.1.2.2
• Oracle SOA Suite, version(s) 11.1.1.7
• Oracle Waveset, version(s) 8.1.1
• Oracle WebCenter Content, version(s) 11.1.1.8.0
• Oracle WebLogic Portal, version(s) 10.0.1.0, 10.2.1.0, 10.3.6.0
• Oracle WebLogic Server, version(s) 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
• Enterprise Manager Base Platform, version(s) 12.1.0.3, 12.1.0.4
• Enterprise Manager Ops Center, version(s) 11.1, 11.1.3, 12.1, 12.1.4, 12.2
• Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.4, 12.0.5, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
• Oracle Agile PLM, version(s) 9.3.3
• Oracle Agile PLM for Process, version(s) 6.1.0.3
• Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5
• PeopleSoft Enterprise HRMS, version(s) 9.1
• PeopleSoft Enterprise PeopleTools, version(s) 8.52, 8.53, 8.54
• JD Edwards EnterpriseOne Tools, version(s) 9.1.5
• Oracle Enterprise Asset Management, version(s) 8.1.1, 8.2.2
• Siebel Applications, version(s) 8.1.1, 8.2.2
• Oracle iLearning, version(s) 6.0, 6.1
• Oracle Communications Diameter Signaling Router, version(s) 3.x, 4.x, 5.0
• Oracle Communications Messaging Server, version(s) 7.0.5.33.0 and prior
• Oracle MICROS Retail, version(s) Xstore: 3.2.1, 3.4.2, 3.5.0, 4.0.1, 4.5.1, 4.8.0, 5.0.3, 5.5.3, 6.0.6, 6.5.2
• Oracle Healthcare Master Person Index, version(s) 1.x, 2.x
• Oracle Java SE, version(s) 5.0u75, 6u85, 7u72, 8u25
• Oracle Java SE Embedded, version(s) 7u71
• Oracle JRockit, version(s) R27.8.4, R28.3.4
• Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2240
• Integrated Lights Out Manager(ILOM), version(s) prior to 3.2.4
• Solaris, version(s) 10, 11
• Solaris Cluster, version(s) 3.3, 4.1
• SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) before XCP 1119
• Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.0, 5.1
• Oracle VM VirtualBox, version(s) prior to 3.2.26, 4.0.28, 4.1.36, 4.2.28, 4.3.20
• MySQL Server, version(s) 5.5.40 and prior, 5.6.21 and prior

Source And Info From Oracle

[banned]

Oracle Java SE, version(s) 5.0u75, 6u85, 7u72, 8u25

It seems we may need to update the listing on nsanedown ?