Watch on Demand: Attack Surface Management Summit | All Sessions Now Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Issues Massive Security Update With Critical Fixes for Java, Fusion Middleware

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Oracle released a mammoth security update that fixes 144 security vulnerabilities – including critical flaws in Java SE and Oracle Fusion Middleware.

Tucked inside the massive release are 36 fixes for Oracle Java SE, 34 of which can be exploited remotely without authentication. The highest CVSS Base Score of the Java vulnerabilities is a 10.0 – the highest possible overall vulnerability score. According to Oracle, the Java SE components affected by the vulnerabilities are: Java SE, Java SE Embedded, JavaFX and JRockit.

Oracle Security Patches“Java was one of the most attacked [software products] in 2013 and it will continue to be so due to its sluggish update record,” blogged Wolfgang Kandek, CTO of Qualys. “It was in the news recently when attackers installed malware through advertisements on Yahoo’s homepage by abusing a Java vulnerability on the affected users’ machines. Fix this vulnerability first, and if you encounter resistance to updating Java, map out why the machines in question cannot run this latest version.”

The update also addresses 22 security issues for Oracle Fusion Middleware. Nineteen of these can be exploited remotely over the network without authentication. As is the case with Java, the highest CVSS Base Score in this group of vulnerabilities is a 10.0. The components affected by the vulnerabilities in the update include Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle WebCenter Portal.

The rest of the update includes five security fixes for the Oracle Database Server; four for Oracle E-Business Suite; 16 for the Oracle Supply Chain Products Suite; 17 for Oracle PeopleSoft; two for Oracle Siebel CRM, one for Oracle iLearning; 1 for Oracle Financial Services Software; 11 for Oracle and Sun Systems Product Suite; nine for Oracle Virtualization and 18 for Oracle MySQL.

Advertisement. Scroll to continue reading.

“Large patch drops from Oracle each quarter are a death blow for security and IT teams,” said Lamar Bailey, director of security research and development for Tripwire. “Oracle products are embedded everywhere in enterprise critical infrastructure and setting up timely change control windows for all their products is next to impossible.”

He urged Oracle customers to focus on applying the Java patches.

“If you’re still using Java drop everything and start patching as fast as possible because exploitation of these vulnerabilities is imminent,” he said.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Data privacy startup Mine has appointed Avi Israel, Jessica Stanford, Michael Trites, Dikla Yuval, and Roee Silberman to executive positions.

Bob Turner has been named CISO at Penn State University.

V2X has appointed Christopher Carter as CISO.

More People On The Move

Expert Insights