Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Critical Java Vulnerabilities

Oracle pushed out patches for 40 security vulnerabilities in Java SE today.

Virtually all of the vulnerabilities can be exploited over a network without authentication, and four of the bugs are applicable to server deployments of Java, according to the company.

Oracle pushed out patches for 40 security vulnerabilities in Java SE today.

Virtually all of the vulnerabilities can be exploited over a network without authentication, and four of the bugs are applicable to server deployments of Java, according to the company.

Several of the vulnerabilities in the Java Runtime Environment have a ranking of 10.0, the highest CVSS severity ranking available. According to Oracle, the list of affected products includes numerous versions of the Java Development Kit (JDK), the Java Runtime Environment (JRE) and the JavaFX development platform.

“The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system,” noted Ross Barrett, senior manager of security engineering at Rapid7. “The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It’s highly likely that earlier versions are also vulnerable.”

“The recommendation here, as always, is for all users to patch as quickly as possible,” he said. “There are a good number of researchers that have been credited for these fixes and it’s likely that Proof of Concept code will be released now that that patches are available.”

Several high-risk vulnerabilities fixed by the update were discovered by researchers working with HP’s Zero Day Initiative [ZDI]. 

Advertisement. Scroll to continue reading.

“These vulnerabilities cover a wide spectrum of software weaknesses including sandbox bypasses, heap-based buffer overflows, and out-of-bounds writes,” said Brian Gorenc, manager of ZDI. “As we saw earlier this year at Pwn2Own, these specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code. With most of these issues originally reported by ZDI in early April, Oracle seems to be reacting quickly to high severity vulnerabilities. We look forward to seeing this trend continue.”

Java security has been under heavy scrutiny due to the attention Java vulnerabilities continue to garner from attackers. This year, the company promised to improve security and work with Java’s user community to improve awareness.

“All of these changes are for the better – Oracle is acknowledging that there have been challenges when it comes to Java security in the past, and they’re working hard to improve it moving forward,” blogged Pawan Kinger, vulnerability research manager at Trend Micro. “We appreciate these efforts and hope that they succeed in reducing the threat from Java exploits, which is completely in line with Trend Micro’s goal of creating a world safe for exchanging digital information.”

Given the wide spread use of Java, there is unlikely to be a slowdown in exploits and patches anytime soon, said Lamar Bailey, director of security research and development at Tripwire.

“Java is squarely in the crosshairs of many hackers and security researchers and that’s not going to change in the short term,” he said. “Many companies and vendors are moving away from or disabling Java for their end users. Apple turned Java off in their browser by default and Microsoft released a fix-it last week to allows IE users to disable Java in IE.”

“Since Java is used so widely Oracle really needs to abandon the quarterly release cycle and get Java updates out to users at least monthly until the rising tide of vulnerabilities starts to recede,” he said. 

Oracle strongly recommends customers apply the patches as soon as possible.

*This story was updated with additional commentary.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

James Phillips has been promoted to the role of Vice President, Cybersecurity Risk Management at AT&T.

Rafal Los has joined Binary Defense as Chief Strategy Officer.

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.