Oracle ships giant raft of patches – but none of them for Java


Oracle’s latest Patch Tuesday has come and gone, with the database-and-more behemoth putting out patches for 89 vulnerabilities.

Twelve products sets in the Oracle stable get from 1 to 21 patches each.

These squash a total of 45 RCEs, or Remote Code Execution vulnerabilities.

In Oracle’s own words, which are actually well chosen and plainly put, RCEs are defined as:

vulnerabilities [that] may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The affected product suites are listed below. (Oracle and Sun Systems Products, by the way, means Solaris, if you remember that.)

Product suite Patches RCEs
Oracle Database Server 6 1
Oracle Fusion Middleware 21 16
Oracle Hyperion 1 0
Oracle Enterprise Manager Grid Control 2 2
Oracle E-Business Suite 7 4
Oracle Supply Chain Products Suite 4 1
Oracle PeopleSoft Products 10 8
Oracle iLearning 1 1
Oracle Industry Applications 1 0
Oracle and Sun Systems Products 16 8
Oracle Virtualization 2 2
Oracle MySql 18 2

The one Oracle product conspicuous by its absence from this list is Java.

That’s because Java is still on its own once-in-four-months update schedule, and received its most recent Critical Patch Update (CPU) last month.

This should be the last time this that Java will have to march to the tune of its own drum.

October 2013 is Oracle’s annual “patchinox”, when patches for Java and the rest of Oracle’s products coincide.

The company has said that from then on, all non-emergency Critical Patch Updates will take place quarterly, at the same time.