Oracle has addressed a total of 113 security vulnerabilities across its product base with the release of its Critical Patch Update (CPU) for July 2014.
The CPU includes fixes for 20 flaws affecting Java SE, all of which can be remotely exploited without authentication. The vulnerabilities impact Java SE subcomponents such as Swing, Serviceability, Deployment, Security, Libraries, JavaFX, Hotspot and JMX. Two of the bugs are in Java SE’s JRockit component. The list of affected versions includes Java SE 6u75, Java SE 7u60, Java SE 8u5, but it’s worth noting that not all of these variants are plagued by each of the security holes.
“Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow,” Daniel Wesemann, a security researcher with the SANS Institute, said in a blog post.
“After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser. Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don’t want to skip or delay.”
Despite recent rumors that security patches for Java 7 will no longer work on Windows XP, Oracle clarified last week that this is untrue. Windows XP users will continue to get automatic updates at least until April 2015, when the end of public updates is scheduled for JDK 7.
“The important point here is that we can no longer provide complete guarantees for Java on Windows XP, since the OS is no longer being updated by Microsoft,” said Henrik Stahl, the vice president of product management at Oracle’s Java Platform Group.
In addition to the Java vulnerabilities, Oracle has also fixed 5 security issues in Oracle Database Server, 29 in Oracle Fusion Middleware, 7 in Oracle Hyperion, 1 in Oracle Enterprise Manager Grid Control, 5 in Oracle E-Business Suite, 3 in the Oracle Supply Chain Products Suite, 5 in Oracle PeopleSoft Products, 6 in Oracle Siebel CRM, 1 in Oracle Communications Applications, 3 in Oracle Retail Applications, 3 in the Oracle and Sun Systems Products Suite, 15 in Oracle Virtualization, and 10 in Oracle MySQL. One of the updates for MySQL Enterprise Server 5.6 includes a fix for the OpenSSL bug dubbed “Heartbleed.”
The list of individuals and organizations that have reported the vulnerabilities addressed with the July 2014 CPU includes Alon Friedman, Rohan Stelling of BAE Systems Detica, Andrea Micalizzi, Ilja van Sprundel of IOActive, Borked of the Google Security Team, CERT/CC, Cihan Oncu, David Litchfield of Datacom TSS, Peter Kamensky of ERPScan, Florian Weimer of Red Hat, Jeroen Frijters, John Leitch, Larry W. Cashdollar, Toby Clarke of Gotham Digital Science, Matt Bergin of KoreLogic Disclosures, Michael Miller of Integrigy, Rafal Wojtczuk of Bromium, Sayan Malakshinov of PSBank, Serguei Mourachov and Yash Kadakia of Security Brigade.
“As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” Eric Maurice, Oracle’s director of software security assurance, wrote in a blog post.