Java SE vulnerability CVE-2014-6513 is the only bug to receive a CVSS Base Score of 10.0.
Java SE vulnerability CVE-2014-6513 is the only bug to receive a CVSS Base Score of 10.0.

Oracle released its Critical Patch Update (CPU) on Tuesday, issuing 154 security fixes for numerous vulnerabilities in various products.

The CPU contains 25 fixes for vulnerabilities in Oracle Java SE, 22 of which could be remotely exploitable without authentication, according to a Tuesday post. CVE-2014-6513 was given a CVSS Base Score of 10.0, and eight other bugs received a rating of 7.6 or higher.

“All but one low scoring vulnerability [applies] only to client side installations of Java, rather than Java running on a server,” Wolfgang Kandek, CTO of Qualys, wrote in a statement emailed to SCMagazine.com on Tuesday. “If you use Java on the desktop on version 6, 7 or 8 take a look at these updates.”

The CPU contains 24 fixes for security flaws in Oracle MySQL, nine of which could be remotely exploitable without authentication, the post indicates. CVE-2014-6507, CVE-2014-6491 and CVE-2014-6500 received a CVSS Base Score of 7.5 or higher.

“We often see MySQL database servers accessible through the Internet, so if you are running such a configuration an update is recommended,” Kandek wrote.

The CPU contains 31 fixes for bugs in Oracle Database Server, two of which could be exploited remotely without authentication, and three of which are applicable to client-only installations, according to the post. Six vulnerabilities were given a CVSS Base Score of 9.0.

Oracle Sun Systems received 15 security fixes, six of which may be remotely exploitable without authentication, and four of which received CVSS Base Scores higher than 7.0, the post indicates. 18 fixes were issued for vulnerabilities in Oracle Fusion Middleware, 14 of which may be exploited remotely without authentication.

The CPU contains 10 fixes for flaws in Oracle E-Business Suite, eight of which may be remotely exploitable without authentication, and one – CVE-2014-4278 – that received a CVSS Base Score of 7.5, according to the post.

Five fixes are available for bugs in Oracle PeopleSoft Products, only one of which could be remotely exploitable without authentication, the post indicates, and five fixes are available for Oracle Supply Chain Products Suite vulnerabilities, two of which may be exploited remotely without authentication.

The CPU contains two fixes for flaws in Oracle Communications Applications, one of which could be remotely exploited without authentication, and seven fixes for bugs in Oracle Virtualization, six of which could be exploited remotely without authentication, according to the post.

All of the vulnerabilities addressed in four fixes for Oracle Retail Applications may be exploited remotely without authentication, and the same goes for all the bugs addressed in three fixes for Oracle Health Sciences, the post indicates.

Two security fixes are available for Oracle Enterprise Manager Grid Control, but neither may be remotely exploited without authorization and none are applicable to client-only installations, according to the post. Oracle JD Edwards Products received one fix, but the vulnerability is not remotely exploitable without authentication – the same goes for the bugs addressed in two fixes for Oracle Primavera Products Suite.

“The highest patching priorities will be in Oracle Database, Oracle's Java VM, Solaris and MySQL, which are all widely deployed products, however, a vast range of Oracle products [were issued patches on Tuesday] and users in Oracle heavy environments will be hard pressed to get these fixes tested and rolled out in a timely manner,” Ross Barrett, senior manager of security engineering at Rapid7, wrote in a statement emailed to SCMagazine.com on Tuesday.