Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.
Tucked inside the massive release are 36 fixes for Oracle Java SE, 34 of which can be exploited remotely without authentication. The highest CVSS Base Score of the Java vulnerabilities is a 10.0 – the highest possible overall vulnerability score. According to Oracle, the Java SE components affected by the vulnerabilities are: Java SE, Java SE Embedded, JavaFX and JRockit.
“Java was one of the most attacked [software products] in 2013 and it will continue to be so due to its sluggish update record,” blogged Wolfgang Kandek, CTO of Qualys. “It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this latest version.”
The update also addresses 22 security issues for Oracle Fusion Middleware. Nineteen of these can be exploited remotely over the network without authentication. As is the case with Java, the highest CVSS Base Score in this group of vulnerabilities is a 10.0. The components affected by the vulnerabilities in the update include Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle WebCenter Portal.
The rest of the update includes five security fixes for the Oracle Database Server; four for Oracle E-Business Suite; 16 for the Oracle Supply Chain Products Suite; 17 for Oracle PeopleSoft; two for Oracle Siebel CRM, one for Oracle iLearning; 1 for Oracle Financial Services Software; 11 for Oracle and Sun Systems Product Suite; nine for Oracle Virtualization and 18 for Oracle MySQL.
“Large patch drops from Oracle each quarter are a death blow for security and IT teams,” said Lamar Bailey, director of security research and development for Tripwire. “Oracle products are embedded everywhere in enterprise critical infrastructure and setting up timely change control windows for all their products is next to impossible.”
He urged Oracle customers to focus on applying the Java patches.
“If you’re still using Java drop everything and start patching as fast as possible because exploitation of these vulnerabilities is imminent,” he said.