Oracle released their quarterly patch updates last week, fixing a whopping 113 vulnerabilities.  As is typical with Oracle, the fixes span the entire range of Oracle products, with the only eight critical vulnerabilities in Java Workstations (aka client deployment of Java).


Oracle Java has 20 vulnerabilities, of which eight are rated critical, most of them affecting the latest version of Java 8u5. All of the workstation vulnerabilites may be remotely exploitable without authentication.


There were three medium-severity Java vulnerabilities and a whole bundle of fixes for servers and business application software. Although none are rated critical, these vulnerabilities can lead to information disclosure, data corruption or denial-of-service to the vulnerable applications.

So, what do we have?








  • 7 vulnerabilities on Hyperionand its various components







  • 3 vulnerabilities on Oracle Supply Chain Products Suite



  • 5 vulnerabilities on PeopleSoft Enterprise products








Now that Microsoft and Oracle have both released fixes, let’s take a fresh look at all 2014 critical vulnerabilities that were published so far. Of the 336 vulnerabilities, 97 percent have a fix; 11 critical vulnerabilities are still waiting for a fix (see table below).

Noticeably absent from this list are any of the top ten most vulnerable vendors mentioned in our blog post last week.  The good news is that these vendors are diligent about fixing their vulnerabilities.

Critical Vulnerabilities with no fix per

ID Vendor
43198 MW6 Technologies
43315 Lorex Technology
43480 GetGo Software
43749 Free Download Manager open-source
43773 XnView
43986 Linksys
44012 Symantec
44014 Allied Telesis
44192 Unitrends
44678 ZTE
44711 Real Networks

Visit the Vulnerability Center to view details of the Oracle vulnerabilities fixed in this patch update, or to keep up to date on any of the latest vulnerabilities.