Connect with us

Hi, what are you looking for?



Oracle Patches 113 Vulnerabilities, Including 20 in Java

Oracle has addressed a total of 113 security vulnerabilities across its product base with the release of its Critical Patch Update (CPU) for July 2014.

Oracle has addressed a total of 113 security vulnerabilities across its product base with the release of its Critical Patch Update (CPU) for July 2014.

The CPU includes fixes for 20 flaws affecting Java SE, all of which can be remotely exploited without authentication. The vulnerabilities impact Java SE subcomponents such as Swing, Serviceability, Deployment, Security, Libraries, JavaFX, Hotspot and JMX. Two of the bugs are in Java SE’s JRockit component. The list of affected versions includes Java SE 6u75, Java SE 7u60, Java SE 8u5, but it’s worth noting that not all of these variants are plagued by each of the security holes.

“Most of the vulnerabilities are remotely exploitable without authentication, and CVSS scores of 10 and 9.3 indicate that they can be readily exploited, and lead to full compromise. Which means that keystroke loggers, ebanking trojans, etc, will soon follow,” Daniel Wesemann, a security researcher with the SANS Institute, said in a blog post.

“After the past three years of repeated gaping holes in Java, we hope that by now you have found a way to remove Java from your computers entirely, or to at least no longer run the Java plugin within the web browser. Otherwise, it is back to the hamster wheel, to yet again re-test all your applications that still require Java, to check for the inevitable incompatibilities with this latest release, and then to expedite the roll-out. This is definitely a patch that you don’t want to skip or delay.”

Despite recent rumors that security patches for Java 7 will no longer work on Windows XP, Oracle clarified last week that this is untrue. Windows XP users will continue to get automatic updates at least until April 2015, when the end of public updates is scheduled for JDK 7.

“The important point here is that we can no longer provide complete guarantees for Java on Windows XP, since the OS is no longer being updated by Microsoft,” said Henrik Stahl, the vice president of product management at Oracle’s Java Platform Group.

In addition to the Java vulnerabilities, Oracle has also fixed 5 security issues in Oracle Database Server, 29 in Oracle Fusion Middleware, 7 in Oracle Hyperion, 1 in Oracle Enterprise Manager Grid Control, 5 in Oracle E-Business Suite, 3 in the Oracle Supply Chain Products Suite, 5 in Oracle PeopleSoft Products, 6 in Oracle Siebel CRM, 1 in Oracle Communications Applications,  3 in Oracle Retail Applications, 3 in the Oracle and Sun Systems Products Suite, 15 in Oracle Virtualization, and 10 in Oracle MySQL. One of the updates for MySQL Enterprise Server 5.6 includes a fix for the OpenSSL bug dubbed “Heartbleed.”

Advertisement. Scroll to continue reading.

The list of individuals and organizations that have reported the vulnerabilities addressed with the July 2014 CPU includes Alon Friedman,  Rohan Stelling of BAE Systems Detica, Andrea Micalizzi, Ilja van Sprundel of IOActive, Borked of the Google Security Team, CERT/CC, Cihan Oncu, David Litchfield of Datacom TSS,  Peter Kamensky of ERPScan, Florian Weimer of Red Hat, Jeroen Frijters, John Leitch, Larry W. Cashdollar, Toby Clarke of Gotham Digital Science, Matt Bergin of KoreLogic Disclosures, Michael Miller of Integrigy, Rafal Wojtczuk of Bromium, Sayan Malakshinov of PSBank, Serguei Mourachov and Yash Kadakia of Security Brigade.

“As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” Eric Maurice, Oracle’s director of software security assurance, wrote in a blog post


Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.