Oracle today issued its quarterly security updates, patching a total of 296 vulnerabilities across its massive line of enterprise software.
The April 2019 update includes fixes for Big Red's flagship Database, Fusion Middleware, and MySQL lines, as well as the introduction of new licensing terms for Java SE.
For Java SE, a total of five vulnerabilities are addressed, each exploitable remotely to execute malicious code without user interaction. While Oracle did not say exactly what each flaw would allow, the maximum CVSS is 9.0, generally a score reserved for remote code execution without any user interaction.
This release also marks the introduction of new licensing requirements for Java SE.
For most users, the new Java SE terms will mean very little. Oracle says the consumer and developer builds of Java SE will remain free, and business customers who use Java SE as part of another Oracle product will be covered by those licenses.
Those who aren't covered, however, may find themselves needing to obtain a new license in order to get the updates, not something you want to be dealing with when it comes to potentially critical security fixes. When pressed for more information on who will and won't get the Java SE patches, Oracle referred to its JavaSE roadmap.
"If you are an organization used to getting Oracle Java SE binaries at no cost, you can simply continue doing so with Oracle's OpenJDK releases available at jdk.java.net. If you are used to getting Oracle Java SE binaries at no cost as a personal user or for development use, then you can continue to get Oracle Java SE releases through java.com (personal users) and the Oracle Technology Network ('OTN') (developers)," Oracle said in announcing the new policy.
Security storm brewing for Oracle Java-powered smart cards: More than a dirty dozen flaws found, fixes... er, any fixes?READ MORE
"Those wishing to use the Oracle JDK or Oracle JRE for other uses will require a Java SE Subscription."
Meanwhile, Oracle's Fusion Middleware, including WebLogic, will also get a significant patching, as the update will address 53 security vulnerabilities, 42 of which can be remotely targeted by an attacker without requiring any user credentials.
Database Server will get fixes for six vulnerabilities, one that can be remotely exploited, and another that is exclusive to the client software (so server admins will only need to install five patches).
A good portion of the April updates went to Oracle's Communications Applications lineup, where 26 fixes - 19 remotely exploitable - were addressed. The E-Business Suite received fixes for 33 remotely-exploitable vulnerabilities, and 35 in all.
MySQL was also a popular target, with 44 vulnerabilities in total being addressed. The fixes were relatively minor, however, as just three of those bugs would be remotely exploitable without authentication, and the maximum CVSS score was 6.5 for them.
PeopleSoft apps received 13 patches, with 8 of those being able to be exploited remotely without authentication. Solaris was issued fixes for three flaws, two of which could be targeted remotely. ®