Connect with us

Hi, what are you looking for?



Oracle Patches Critical Java Vulnerabilities

Oracle pushed out patches for 40 security vulnerabilities in Java SE today.

Virtually all of the vulnerabilities can be exploited over a network without authentication, and four of the bugs are applicable to server deployments of Java, according to the company.

Oracle pushed out patches for 40 security vulnerabilities in Java SE today.

Virtually all of the vulnerabilities can be exploited over a network without authentication, and four of the bugs are applicable to server deployments of Java, according to the company.

Several of the vulnerabilities in the Java Runtime Environment have a ranking of 10.0, the highest CVSS severity ranking available. According to Oracle, the list of affected products includes numerous versions of the Java Development Kit (JDK), the Java Runtime Environment (JRE) and the JavaFX development platform.

“The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system,” noted Ross Barrett, senior manager of security engineering at Rapid7. “The latest versions of Java 7, 6 and 5 are all vulnerable to most of these conditions. It’s highly likely that earlier versions are also vulnerable.”

“The recommendation here, as always, is for all users to patch as quickly as possible,” he said. “There are a good number of researchers that have been credited for these fixes and it’s likely that Proof of Concept code will be released now that that patches are available.”

Several high-risk vulnerabilities fixed by the update were discovered by researchers working with HP’s Zero Day Initiative [ZDI]. 

“These vulnerabilities cover a wide spectrum of software weaknesses including sandbox bypasses, heap-based buffer overflows, and out-of-bounds writes,” said Brian Gorenc, manager of ZDI. “As we saw earlier this year at Pwn2Own, these specific vulnerability types can be leveraged by attackers to compromise machines and execute arbitrary code. With most of these issues originally reported by ZDI in early April, Oracle seems to be reacting quickly to high severity vulnerabilities. We look forward to seeing this trend continue.”

Advertisement. Scroll to continue reading.

Java security has been under heavy scrutiny due to the attention Java vulnerabilities continue to garner from attackers. This year, the company promised to improve security and work with Java’s user community to improve awareness.

“All of these changes are for the better – Oracle is acknowledging that there have been challenges when it comes to Java security in the past, and they’re working hard to improve it moving forward,” blogged Pawan Kinger, vulnerability research manager at Trend Micro. “We appreciate these efforts and hope that they succeed in reducing the threat from Java exploits, which is completely in line with Trend Micro’s goal of creating a world safe for exchanging digital information.”

Given the wide spread use of Java, there is unlikely to be a slowdown in exploits and patches anytime soon, said Lamar Bailey, director of security research and development at Tripwire.

“Java is squarely in the crosshairs of many hackers and security researchers and that’s not going to change in the short term,” he said. “Many companies and vendors are moving away from or disabling Java for their end users. Apple turned Java off in their browser by default and Microsoft released a fix-it last week to allows IE users to disable Java in IE.”

“Since Java is used so widely Oracle really needs to abandon the quarterly release cycle and get Java updates out to users at least monthly until the rising tide of vulnerabilities starts to recede,” he said. 

Oracle strongly recommends customers apply the patches as soon as possible.

*This story was updated with additional commentary.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.