Many of the vulnerabilities could be remotely exploitable by an attacker without authentication. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible”, Oracle advises users.
Affected products include the Oracle Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain Products Suite, PeopleSoft Enterprise, FLEXCUBE financial services softeare, Primavera, Sun products, and MySQL Server.
“A large number, 33, of the 88 patches are for the most critical class of vulnerabilities, remote code execution (RCE) vulnerabilities, which are software flaws that allow a remote attacker to exploit the targeted software without prior authentication. Compare this to last quarter's release, which had 16 RCEs in 78 patches. Of the mainstream software lines, only MySQL and the Siebel Clinic product are not affected by the RCE type vulnerabilities”, commented Wolfgang Kandek, chief technology officer at Qualys.
Kandek noted that Oracle did not include an update for Java, because it is on a separate schedule. Java was last updated in February, when Oracle plugged 14 security holes.