Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.
Java fixes include FX and SE, as well as SE Embedded. Out of the 37 Java vulnerabilities that were fixed, CVE-2014-2398 can be exploited remotely without authentication and we recommend you patch that immediately.
All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication.
MySQL version 5.5 and 5.6 was patched, and out of the 14 vulnerabilities only CVE-2014-2431 is exploitable remotely without authentication.
PeopleSoft received 8 vulnerability fixes, and 5 of them can be exploited remotely without authentication if left unpatched.
The large update covering multiple products will be easier to install if a good map of the current versions exists. In any case we recommend addressing vulnerabilities on systems that are Internet accessible first.