Oracle plans to issue a massive security update Tuesday that addresses 113 vulnerabilities.
Twenty of the security fixes are aimed at Oracle Java SE. All of these bugs can be exploited remotely without authentication. According to Oracle, the Java SE components fixed in the update affect Java SE and JRockit. The highest CVSS Base Score of the vulnerabilities is 10 – the highest criticality score available.
The update also contains 29 new security fixes for Oracle Fusion Middleware. Twenty-seven of the vulnerabilities are remotely exploitable over a network without the need for a username and password. The highest CVSS Base Score of vulnerabilities affecting Oracle Fusion Middleware is 7.5. The vulnerabilities are in: BI Publisher, GlassFish Communications Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle HTTP Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle JDeveloper, Traffic Director, WebCenter Portal and WebLogic Server.
Other vulnerabilities set to be addressed affect the following products: Oracle Database Server (5); Oracle Hyperion (7); Oracle Enterprise Grid Manager (1); Oracle E-Business Suite (5); Supply Chain Products Suite (3); PeopleSoft (5); Siebel CRM (6); Oracle Communications Messaging Server (1); Oracle Retail Applications (3); Oracle Virtualization (15); Oracle and Sun Systems Products Suite (3); and MySQL (10).
“While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory,” Oracle stated in the advisory.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” according to the company. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
“Oracle Database server may only have five vulnerabilities being resolved, but one or more of those have a CVSS base score of 9.0,” said Chris Goettl, program product manager for Shavlik Technologies. “Several other products like Fusion, Virtualization and Retail Applications have CVSS base scores of 7.5 and the rest start to fall steadily from there, but one fairly common theme is they are remotely executable without the need for authentication. Companies running a lot of Oracle software should take some time on Tuesday and review what solutions they have and where they are to see if immediate action is necessary. Again, for Java, the urgency is going to be far greater. If you don’t have a breaking dependency on a specific version it would be a good idea to rollout these updates as soon as you can.”
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
