Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Issues Massive Security Update With Critical Fixes for Java, Fusion Middleware

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Tucked inside the massive release are 36 fixes for Oracle Java SE, 34 of which can be exploited remotely without authentication. The highest CVSS Base Score of the Java vulnerabilities is a 10.0 – the highest possible overall vulnerability score. According to Oracle, the Java SE components affected by the vulnerabilities are: Java SE, Java SE Embedded, JavaFX and JRockit.

Oracle Security Patches“Java was one of the most attacked [software products] in 2013 and it will continue to be so due to its sluggish update record,” blogged Wolfgang Kandek, CTO of Qualys. “It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this latest version.”

The update also addresses 22 security issues for Oracle Fusion Middleware. Nineteen of these can be exploited remotely over the network without authentication. As is the case with Java, the highest CVSS Base Score in this group of vulnerabilities is a 10.0. The components affected by the vulnerabilities in the update include Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle WebCenter Portal.

The rest of the update includes five security fixes for the Oracle Database Server; four for Oracle E-Business Suite; 16 for the Oracle Supply Chain Products Suite; 17 for Oracle PeopleSoft; two for Oracle Siebel CRM, one for Oracle iLearning; 1 for Oracle Financial Services Software; 11 for Oracle and Sun Systems Product Suite; nine for Oracle Virtualization and 18 for Oracle MySQL.

“Large patch drops from Oracle each quarter are a death blow for security and IT teams,” said Lamar Bailey, director of security research and development for Tripwire. “Oracle products are embedded everywhere in enterprise critical infrastructure and setting up timely change control windows for all their products is next to impossible.”

He urged Oracle customers to focus on applying the Java patches.

“If you’re still using Java drop everything and start patching as fast as possible because exploitation of these vulnerabilities is imminent,” he said.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.