Included in the patch are critical fixes for Java SE and the Oracle Sun Systems Products Suite.
All up this means that the update contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.
The worst of the bugs are in Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities.
Writing in the company blog, Oracle said that out of these 19 Java vulnerabilities, 15 affect client-only installations, two affect client and server installations, and two affect JSSE installations.
The blog says that the lower number of Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization.
While that might be true, the ton of patches in the rest of the software suggests that while Java is being closely watched, other bits are not.
In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.
The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication. Oracle MySQL has nine security fixes.
There are also: 10 fixes for Oracle Enterprise Manager Grid Control; 10 for Oracle E-Business Suite; six for the Oracle Supply Chain Products Suite; seven security fixes for Oracle PeopleSoft products; 17 for Oracle Siebel CRM; one for Oracle JD Edwards Products; two for Oracle iLearning; two for Oracle Communications Applications; one for Oracle Retail Applications; one for Oracle Health Sciences Applications and 11 new security fixes for Oracle Virtualisation.