Oracle Repairs Flaws In Java, Sun Software With 85-Fix Patch

Oracle issued 85 fixes in a massive Critical Patch Update, repairing a slew of vulnerabilities in both its Sun and Java product lines, many of which could enable malicious hackers to launch remote code execution attacks on users' systems.

Thirty-one of the 85 fixes were for Oracle's newly acquired Sun products, which included OpenSolaris, Open Office, Sun Convergence, Sun Directory Server and Enterprise Edition. Of the Sun patches, 16 repaired vulnerabilities that could be exploited remotely by hackers, while some of the most critical vulnerabilities fixed by the patch affected OpenOffice, Solaris and OpenSolaris.

Specifically, the CPU included five new fixes for OpenOffice, repairing serious vulnerabilities that received at least a 9.3 on Oracle's Common Vulnerability Scoring System, which indicate that the flaws could be exploited by a user with root or administrator privileges.

Oracle executives maintained that the size of the October patch reflected the inclusion of the Sun products.

"While the continuous inclusion of new product lines in the Critical Patch Update program affects the identification of any kind of meaningful trends in overall CPU size, it demonstrates the flexibility of the program," said Eric Maurice, security manager of Oracle's global technology business unit, in a blog post. "It also demonstrates a conscious desire to simplify as much as possible the security patch management tasks for its customers."

Next: Oracle Repairs Java Flaws

In addition, Oracle's October CPU repaired 29 new security vulnerabilities in Java SE and Java for Business, 15 of which earned the highest severity rating of 10 on the company's Common Vulnerability Scoring System, leading Oracle to strongly recommend that customers apply the patch as soon as possible.

Other affected enterprise systems included Oracle Database Server, Oracle Fusion Middleware, Enterprise Manager, E-Business Suite, and supply Chain Products Suite, PeopleSoft Enterprise, Siebel CRM, Primavera and VM.

Seven of the new vulnerabilities included in the patch affect the Database Server, however only one can be exploited remotely without user authentication. The critical Database Server flaw affects Oracle Enterprise Manage Grid Control, enabling it to be exploited remotely by hackers over a network without requiring a username or password.

Oracle urged users to install the patch as soon as possible.

"Oracle continues to recommend that Database customers apply this Critical Patch Update as soon as possible on order to maintain their defense in depth posture," Maurice wrote.