Two of the MySQL vulnerabilities can be exploited by an attacker remotely without the need for a user name and password, according to a pre-release announcement posted on Oracle's website. At least one has a "base score" of 9.0 on the CVSS (Common Vulnerability Scoring System), which runs from 1 to 10, with 10 being the most dangerous.
The patch batch, which is scheduled for Tuesday, also includes one fix for Oracle's flagship database, including versions 10g R2, 11g R1 and 11gR2. While the vulnerability in question also has a CVSS base score of 9.0, it can't be exploited remotely without credentials, according to the announcement.
But another five patches will be shipped for Oracle Database Mobile/Lite Server, and all of them are remotely exploitable without requiring authentication, Oracle said. This grouping's highest CVSS base score is 10.0, according to Oracle.
Various components of Oracle Fusion Middleware, including WebLogic Server and Access Manager, will receive seven patches.
Some 13 patches concern Oracle Enterprise Manager Grid Control. All are exploitable remotely without credentials.
The remaining fixes set to ship Tuesday cover Oracle applications such as E-Business Suite and JD Edwards, as well as the Sun Storage Common Array Manager and Oracle's virtualisation technology.
Oracle's last patch release, which came in October, fixed 109 problems.