On Tuesday 14 January, Oracle will be releasing its quarterly batch of security updates – and it’s gonna be a doozy.
Oracle’s critical patch update will address multiple security issues, including “144 new security vulnerability fixes across hundreds of Oracle products”.
Oracle says that it is strongly recommending that customers apply the patches “as soon as possible” because of “the threat posed by a successful attack.”
As always, the risk is that one of these vulnerabilities might be exploited by a hacker to run malware onto your computer.
Many of the vulnerabilities are said to be “remotely exploitable without authentication” – which means that for an attack to be successful against your computer you wouldn’t have to enter your username and password.
The Oracle product which will grab the most headlines because of its need to be patched is probably Java SE, used on a wide number of both business and consumer computers and long regarded as something of a “Swiss cheese” for its numerous security holes.
Oracle says that Tuesday’s release will contain 36 fixes for Java, 34 of which can be exploited by an attacker without the need for authentication.
More details can be found in Oracle’s pre-announcement about the security updates, but here is a list of affected products:
|Oracle Database 11g Release 1, version 220.127.116.11|
|Oracle Database 11g Release 2, versions 18.104.22.168, 22.214.171.124|
|Oracle Database 12c Release 1, version 126.96.36.199|
|Oracle Fusion Middleware 11g Release 1, versions 188.8.131.52, 184.108.40.206|
|Oracle Fusion Middleware 11g Release 2, versions 220.127.116.11, 18.104.22.168|
|Oracle Fusion Middleware 12c Release 2, version 12.1.2|
|Oracle Enterprise Data Quality, versions 8.1, 9.0.8|
|Oracle Forms and Reports 11g, Release 2, version 22.214.171.124|
|Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2|
|Oracle HTTP Server 11g, versions 126.96.36.199, 188.8.131.52|
|Oracle HTTP Server 12c, version 12.1.2|
|Oracle Identity Manager, versions 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124|
|Oracle Internet Directory, versions 126.96.36.199, 188.8.131.52|
|Oracle iPlanet Web Proxy Server, version 4.0|
|Oracle iPlanet Web Server, versions 6.1, 7.0|
|Oracle Outside In Technology, versions 8.4.0, 8.4.1|
|Oracle Portal, version 184.108.40.206|
|Oracle Reports Developer, versions 220.127.116.11, 18.104.22.168, 22.214.171.124|
|Oracle Traffic Director, versions 126.96.36.199, 188.8.131.52|
|Oracle WebCenter Portal versions 184.108.40.206.0, 220.127.116.11.0, 18.104.22.168.0|
|Oracle WebCenter Sites versions 22.214.171.124.1, 126.96.36.199.0|
|Hyperion Essbase Administration Services, versions 188.8.131.52, 184.108.40.206, 220.127.116.11|
|Hyperion Strategic Finance, versions 18.104.22.168, 22.214.171.124|
|Oracle E-Business Suite Release 11i, version 126.96.36.199|
|Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3|
|Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1|
|Oracle AutoVue Electro-Mechanical Professional, versions 20.1.1, 20.2.2|
|Oracle Demantra Demand Management, versions 7.3.1, 12.2.1, 12.2.2, 12.2.3|
|Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2|
|Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0|
|Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2|
|Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53|
|Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2|
|Oracle Siebel Core, versions 8.1.1, 8.2.2|
|Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2|
|Oracle iLearning, version 6.0|
|Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 188.8.131.52, 3.0, 12.0.1, 12.0.2|
|Oracle JavaFX, versions 2.2.45 and earlier|
|Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier|
|Oracle Java SE Embedded, versions 7u45 and earlier|
|Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier|
|Oracle Solaris versions 8, 9, 10, 11.1|
|Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10|
|Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6|
|Oracle MySQL Enterprise Monitor, versions 2.3, 3.0|
|Oracle MySQL Server, versions 5.1, 5.5, 5.6|
And don’t forget – as if you weren’t busy enough with security patches – Oracle times its quarterly security fixes to coincide with the regular monthly security updates from Microsoft and Adobe.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.