The Critical Patch Update (CPU) released by Oracle on Tuesday contains 193 security fixes across several product families.
The update includes 25 security fixes for Oracle Java SE – 23 of the vulnerabilities could be remotely exploited without authentication and seven of the bugs received a CVSS Base Score score of 10.0, an advisory said.
One of the Java bugs that received a fix is CVE-2015-2590, which Trend Micro recently identified as a zero-day vulnerability being exploited by cyber-espionage group ‘Pawn Storm' – also known as APT28 – to carry out drive-by download attacks against a NATO country and U.S. defense company.
The CPU contains security fixes for 21 vulnerabilities in Oracle Sun Systems Products Suite, ten of which could be remotely exploited without authentication and five of which received a CVSS Base Score of 10.0, the advisory said.
Of the ten vulnerabilities addressed in Oracle Database Server, two could be remotely exploited without authentication and one received a CVSS Base Score of 9.0. Of the five flaws fixed in Oracle Siebel CRM, three could be remotely exploited without authentication and one received a CVSS Base Score of 9.3.
According to the advisory, all but three of the 39 security fixes for Oracle Fusion Middleware address vulnerabilities that could be remotely exploited without authentication.
The two vulnerabilities addressed in Oracle Commerce Platform and the two bugs fixed in Oracle Communications Applications could all be remotely exploited without authentication, and one of the bugs in the latter product received a CVSS Base Score of 10.0.
The CPU contains security fixes for 11 vulnerabilities in Oracle Virtualization, eight of which could be remotely exploited without authentication. It also contains security fixes for 13 bugs in Oracle E-Business Suite, five of which could be remotely exploited without authentication.
Three bugs were addressed in Oracle Enterprise Manager Grid Control, two of which could be remotely exploited without authentication, and eight vulnerabilities were addressed in Oracle PeopleSoft Products, four of which could be remotely exploited without authentication.
Seven bugs were addressed in Oracle Supply Chain Products Suite and four vulnerabilities were addressed in Oracle Hyperion with each of those products containing one flaw that could be remotely exploited without authentication.
Although the CPU contains fixes for 18 vulnerabilities in Oracle MySQL and 25 bugs in Oracle Berkeley DB, none of the flaws were remotely exploitable without authentication.
Oracle releases four CPUs per year and the next one is scheduled to be released on Oct. 20.
