Oracle released a critical patch update on Tuesday that contains fixes for 144 individual vulnerabilities existing across hundreds of its products, including several in Java, which recently led to millions of Yahoo visitors being exposed to malicious advertisements.
“This Critical Patch Update contains 36 new security fixes for Oracle Java SE,” according to a release. “34 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”
Other Oracle products are ripe with vulnerabilities, as well.
The Fusion Middleware patch contains 22 fixes and 19 of those vulnerabilities are remotely exploitable without authentication, while the MySQL patch addresses 18 issues, only three of which are remotely exploitable without authentication.
The PeopleSoft Products patch contains 17 fixes, 10 of which may be remotely exploitable without authentication, and the Supply Chain Products Suite patch contains 16 fixes, of which six of those vulnerabilities are remotely exploitable without authentication.
The patch contains fixes for Oracle's Database Server, E-Business Suite Executive Summary, Siebel CRM, Hyperion, Virtualization, iLearning, and Financial Services Software too, as well as the Oracle and Sun Systems Products Suite.
Due to the threats posed by some of these vulnerabilities, Oracle is urging all users apply the fixes as soon as possible. In the Yahoo incident, visitors were directed to scam websites where they were exposed to malware, including Zeus, Andromeda and other trojans.
Oracle puts out patches every quarter and the next round of updates are scheduled for release on April 15, July 15, Oct. 14 and Jan. 20, 2015.