Oracle’s April 2014 Critical Patch Update has been released, and solves a total of 104 vulnerabilities found across many of its products, including Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
The most important ones for regular users are the patches addressing 37 vulnerabilities in Java SE, as four received a CVSS Base Score of 10.0 (Highly Critical – remote code execution, easily exploitable).
“Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply it as soon as possible,” the company advised.
If you are wondering if any of these patches address the Heartbleed bug (CVE-2014-0160), the answer is no.
Oracle has recently published a detailed document about which of its products are affected by the bug, and Java SE is not among them as it does not include OpenSSL.
Still, they warned that the “surrounding technical environment deployed around these products should be checked for the presence of other components, which may be affected by this vulnerability.”
Oracle has already patched some of its products that were vulnerable because of the Hearbleed bug, and is working on fixing the rest (14 in all).