Oracle on Tuesday patched 154 vulnerabilities in 54 different products as part of its regularly scheduled Critical Patch Update.
More than half of the patches, 84 to be exact, address vulnerabilities that Oracle claims may be remotely exploitable without authentication.
Java SE is responsible for 24 of the vulnerabilities, seven which are actually marked as high severity, including bugs in Java SE 6u101, Java SE 7u85, Java SE 8u60, Java SE Embedded 8u51, suggesting anyone still running the platform, especially those builds, may want to make the update a priority. Oracle is warning if the bugs were exploited under the right conditions it could result in a full compromise of the targeted system.
Oracle Fusion Middleware, a digital business platform the company distributes, meanwhile is responsible for the second highest amount of remotely exploitable bugs, 16.
While only one of the seven vulnerabilities in Oracle Database is marked as 10.0, or high severity, and can be exploited without authentication, Oracle is warning that there are three other bugs in the software that shouldn’t be ignored, and are marked 9.0.
Three vulnerabilities — in the company’s customer relationship management software Siebel, its storage software Pillar Axiom, and its Applications for Work and Asset Management — are definitely remotely exploitable without authentication, Oracle warns.
Eric P. Maurice, the director of Oracle’s Software Security Assurance group, pointed out in a post on the company’s Software Security Assurance Blog Tuesday that the company isn’t currently aware of any exploits for the higher end vulnerabilities in the wild, but admits that could change as attackers try their hand at reverse-engineering the fixes.
Oracle claims it’s possible for admins to thwart some attacks by blocking certain network protocols, but is encouraging customers to apply the fixes ASAP.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” the advisory reads.
The update is the last of the year for Oracle, who pushes its updates in bundles for end users four times a year. The next won’t come until Jan. 19, 2016.