Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Patches Java Zero-Day, 192 Other Security Bugs

Oracle on Tuesday released its July 2015 Critical Patch Update (CPU). The updates address a whopping 193 security issues across multiple product families, including a Java zero-day bug exploited in the wild by a sophisticated threat group.

Oracle on Tuesday released its July 2015 Critical Patch Update (CPU). The updates address a whopping 193 security issues across multiple product families, including a Java zero-day bug exploited in the wild by a sophisticated threat group.

Trend Micro revealed earlier this week that an unpatched Java vulnerability had been exploited by the advanced persistent threat (APT) group Pawn Storm (also known as APT28, Sofacy, Fancy Bear, and Sednit) in attacks against the armed forces of a NATO member country, and major defense contractors in the United States and Canada. Researchers noted that this was the first Java zero-day attack reported in almost two years.

After Oracle announced the availability of a patch for the remote code execution vulnerability (CVE-2015-2590), Trend Micro published a blog post with additional technical details on the attack.

The security holes addressed by Oracle with the July 2015 CPU affect a wide range of products, including Oracle Database, Fusion Middleware, Hyperion, Enterprise Manager, E-Business Suite, Supply Chain Suite, PeopleSoft Enterprise, Siebel CRM, Communications Applications, Java SE, Sun Systems Products Suite, Linux and Virtualization, and MySQL.

Forty-four of the patched flaws plague third-party components included in Oracle’s product distributions, such as Qemu and Glibc.

A total of 25 vulnerabilities have been addressed in Java SE and 23 of them can be exploited remotely by an unauthenticated attacker.

“16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments,’ Eric Maurice, director of Oracle Software Security Assurance, said in a blog post.

The latest CPU resolves ten vulnerabilities in Oracle Database, 39 in Fusion Middleware, 25 in Berkeley DB, two in Communications Applications, 13 in E-Business Suite, seven in Supply Chain Suite, eight in PeopleSoft Enterprise, five in Siebel, and two in Commerce Platform.

Oracle has pointed out that the Common Vulnerability Scoring System (CVSS) scores assigned in the advisory released on Tuesday are based on CVSS v2. However, now that CVSS v3 has been released, Oracle intends to move to the new standard in its future alerts and advisories.

Independent researchers and experts from organizations such as Foreground Security, TELUS Security Labs, Evolution Security, Google, Trend Micro, Trustwave, Rapid7, SEC Consult, Red Hat, Ruhr University Bochum, Microsoft, KPMG, Worldpay, E.ON Business Services, NATO Communications and Information Agency, SecureLayer7, HP’s Zero Day Initiative, and Help AG have been credited for reporting the vulnerabilities patched with the July 2015 CPU.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.