Security Experts:

Oracle Patches Java Zero-Day, 192 Other Security Bugs

Oracle on Tuesday released its July 2015 Critical Patch Update (CPU). The updates address a whopping 193 security issues across multiple product families, including a Java zero-day bug exploited in the wild by a sophisticated threat group.

Trend Micro revealed earlier this week that an unpatched Java vulnerability had been exploited by the advanced persistent threat (APT) group Pawn Storm (also known as APT28, Sofacy, Fancy Bear, and Sednit) in attacks against the armed forces of a NATO member country, and major defense contractors in the United States and Canada. Researchers noted that this was the first Java zero-day attack reported in almost two years.

After Oracle announced the availability of a patch for the remote code execution vulnerability (CVE-2015-2590), Trend Micro published a blog post with additional technical details on the attack.

The security holes addressed by Oracle with the July 2015 CPU affect a wide range of products, including Oracle Database, Fusion Middleware, Hyperion, Enterprise Manager, E-Business Suite, Supply Chain Suite, PeopleSoft Enterprise, Siebel CRM, Communications Applications, Java SE, Sun Systems Products Suite, Linux and Virtualization, and MySQL.

Forty-four of the patched flaws plague third-party components included in Oracle’s product distributions, such as Qemu and Glibc.

A total of 25 vulnerabilities have been addressed in Java SE and 23 of them can be exploited remotely by an unauthenticated attacker.

“16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments,’ Eric Maurice, director of Oracle Software Security Assurance, said in a blog post.

The latest CPU resolves ten vulnerabilities in Oracle Database, 39 in Fusion Middleware, 25 in Berkeley DB, two in Communications Applications, 13 in E-Business Suite, seven in Supply Chain Suite, eight in PeopleSoft Enterprise, five in Siebel, and two in Commerce Platform.

Oracle has pointed out that the Common Vulnerability Scoring System (CVSS) scores assigned in the advisory released on Tuesday are based on CVSS v2. However, now that CVSS v3 has been released, Oracle intends to move to the new standard in its future alerts and advisories.

Independent researchers and experts from organizations such as Foreground Security, TELUS Security Labs, Evolution Security, Google, Trend Micro, Trustwave, Rapid7, SEC Consult, Red Hat, Ruhr University Bochum, Microsoft, KPMG, Worldpay, E.ON Business Services, NATO Communications and Information Agency, SecureLayer7, HP's Zero Day Initiative, and Help AG have been credited for reporting the vulnerabilities patched with the July 2015 CPU.

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.