The majority of the vulnerabilities fixed by the update pertain to the JRE (Java Runtime Environment); these vulnerabilities can be exploited sans authentication, meaning attackers would not have to bother with coming up with a username and password.
All told, eight of the vulnerabilities had a severity rating of 10 out of 10, two others were rated 7.6, and 4 more carried a rating of 5.0.
According to Oracle, 13 of the 21 vulnerabilities affect Java client deployments, and 12 of those 13 can be exploited via untrusted Java Web Start applications and untrusted Java applets, which run in the Java sandbox with limited privileges. One of the client vulnerabilities affects the Windows-specific Java Update component.
Three of the vulnerabilities affect client and server deployments and may be also be exploited through untrusted applications and applets, as well as by providing data to APIs in specific components through, for example, a Web service.