Oracle released a record-breaking 334 security fixes in its first critical patch update of the year. Attackers may have successfully exploited some of these bugs, according to Oracle, but a spokesperson would not provide additional information about which vulnerabilities, if any, resulted in security breaches.

The January 2020 Critical Patch Update Advisory says the bugs affect more than 90 Oracle products, and two of them in the vendor’s Human Resources software earned a 9.9 out of 10 severity rating. Neither of these two security flaws, however, can be exploited remotely without authentication.

But 38 other vulnerabilities with a 9.8 severity rating can be exploited over a network without requiring user credentials. So can dozens of others listed in the critical patch update with lesser severity ratings.

These 9.8-rated bugs hit several Oracle products including its Communication Applications, Construction and Engineering, Enterprise Manager, Fusion Middleware, Health Sciences Applications, Hyperion, JD Edwards, PeopleSoft, Retail Applications, Siebel CRM, Systems, and Utilities Applications product families.

Oracle urges all customers to apply the security patches as soon as possible. “Until you apply the Critical Patch Update patches, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack,” the alert said. “For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

The January 2020 Critical Patch Update sets an all-time record for Oracle, beating its earlier most-buggy CPU from July 2017. That update included 310 security fixes.

Oracle’s alert follows Microsoft’s first Patch Tuesday of the year, also released this week, that addressed 50 security flaws including a particularly nasty bug discovered by the National Security Agency that affects Windows 10, Windows Server 2016, and Windows Server 2019.