Within the CPU, Fusion Middleware has the most fixes (21), 16 of which are remotely exploitable. One of them affects a vulnerability (CVE-2013-2461) in JRockit, the Java Virtual Machine in Fusion Middleware.
The Oracle and Sun Systems Products Suite, meanwhile, has received a total of 16 new security fixes. Eight of the vulnerabilities are remotely exploitable without authentication. And Oracle MySQL has 18 new security fixes, two of which are remotely exploitable.
The remainder of the patches repair issues in Oracle’s Hyperion, Enterprise Manager Grid Control, E-Business Suite, PeopleSoft Enterprise, Industry Applications, Supply Chain Products Suite and VM products.
“As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible,” wrote Eric Maurice, director of Oracle Software Security Assurance, in a blog.
In the wake of a litany of zero-day vulnerabilities affecting Java browser plug-ins earlier in the year, Oracle announced that Java will begin to be included in the normal CPU schedule starting in October 2013. Maurice noted that at that point, the release of JRockit and Java security fixes will be integrated. He also said that Oracle has been working on addressing a series of known Apache bugs in Oracle HTTP Server.
Oracle has patched 300+ bugs so far in the first half of the year, encapsulating updates in sometimes massive CPUs. “It’s noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities,” said Craig Young, a security researcher at Tripwire, in a note to Infosecurity. “By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”