Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Java Zero-Day, 192 Other Security Bugs

Oracle on Tuesday released its July 2015 Critical Patch Update (CPU). The updates address a whopping 193 security issues across multiple product families, including a Java zero-day bug exploited in the wild by a sophisticated threat group.

Oracle on Tuesday released its July 2015 Critical Patch Update (CPU). The updates address a whopping 193 security issues across multiple product families, including a Java zero-day bug exploited in the wild by a sophisticated threat group.

Trend Micro revealed earlier this week that an unpatched Java vulnerability had been exploited by the advanced persistent threat (APT) group Pawn Storm (also known as APT28, Sofacy, Fancy Bear, and Sednit) in attacks against the armed forces of a NATO member country, and major defense contractors in the United States and Canada. Researchers noted that this was the first Java zero-day attack reported in almost two years.

After Oracle announced the availability of a patch for the remote code execution vulnerability (CVE-2015-2590), Trend Micro published a blog post with additional technical details on the attack.

The security holes addressed by Oracle with the July 2015 CPU affect a wide range of products, including Oracle Database, Fusion Middleware, Hyperion, Enterprise Manager, E-Business Suite, Supply Chain Suite, PeopleSoft Enterprise, Siebel CRM, Communications Applications, Java SE, Sun Systems Products Suite, Linux and Virtualization, and MySQL.

Forty-four of the patched flaws plague third-party components included in Oracle’s product distributions, such as Qemu and Glibc.

A total of 25 vulnerabilities have been addressed in Java SE and 23 of them can be exploited remotely by an unauthenticated attacker.

“16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments,’ Eric Maurice, director of Oracle Software Security Assurance, said in a blog post.

The latest CPU resolves ten vulnerabilities in Oracle Database, 39 in Fusion Middleware, 25 in Berkeley DB, two in Communications Applications, 13 in E-Business Suite, seven in Supply Chain Suite, eight in PeopleSoft Enterprise, five in Siebel, and two in Commerce Platform.

Advertisement. Scroll to continue reading.

Oracle has pointed out that the Common Vulnerability Scoring System (CVSS) scores assigned in the advisory released on Tuesday are based on CVSS v2. However, now that CVSS v3 has been released, Oracle intends to move to the new standard in its future alerts and advisories.

Independent researchers and experts from organizations such as Foreground Security, TELUS Security Labs, Evolution Security, Google, Trend Micro, Trustwave, Rapid7, SEC Consult, Red Hat, Ruhr University Bochum, Microsoft, KPMG, Worldpay, E.ON Business Services, NATO Communications and Information Agency, SecureLayer7, HP’s Zero Day Initiative, and Help AG have been credited for reporting the vulnerabilities patched with the July 2015 CPU.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.