Oracle released their latest Critical Patch Update (CPU), containing 144 security fixes across all product families, including 36 for Java SE. Oracle stated that 34 of these vulnerabilities may be exploited over a network without authentication, and they recommend applying CPU fixes as soon as possible. Other products patched in this CPU include Peoplesoft, Fusion Middleware, and their flagship relational database.
Oracle stated that a successful attack of these vulnerabilities may result in unauthorized update, insert or delete access to some Java SE accessible data and read access to a subset. An attack may also cause a partial denial of service (DOS) of Java SE.
The Risk Matrix for Oracle Java SE has Common Vulnerabilities and Exposure (CVE) identifiers along with the description.
Oracle introduced the CPU program, a designation indicating a set of patches for security flaws, in January 2005. Separate Java SE security fixes are released under the normal CPU schedule starting from October 2013. The next four release dates are 15 April 2014, 15 July 2014, 14 October 2014 and 20 January 2015.
The list of patches contains both cumulative and non-cumulative CPUs. (Cumulative CPUs have all fixes for that product including previous updates.) The patch availability table provides more information about cumulative and non-cumulative patches, and an installation guide.
Patches released through the CPU program are available for products covered under Premier Support or Extended Support phases of the Lifetime Support Policy. In the CPU Advisory Oracle cautions:
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.