According to the Oracle security advisory, 35 of the flaws being fixed can be remotely exploited without authentication. Oracle ranked four of the vulnerabilities as a 10, which is the most severe ranking. The product vulnerabilities that received the score of 10 are with Oracle Audit Vault, JRockit, Solaris, and WebLogic Server.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU [critical patch update] fixes as soon as possible”, the company said in its advisory.
The company added that until the CPU fixes are applied, “it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack.”
In a blog, Paul Ducklin, Sophos’s head of technology, Asia Pacific, commented on the Oracle advisory: “It's majestically-sized, covering 28 listed products, one of which – the Oracle Sun Products Suite – itself covers ten sub-products, including Solaris and VirtualBox. The Oracle Fusion Middleware patches cover nine sub-products, including the Oracle HTTP server. And three components in the Oracle Open Office Suite get patches, too.”