Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Oracle Releases Massive Security Update for 88 Vulnerabilities

Oracle issued a massive update today to patch 88 security vulnerabilities, including dozens of remote code execution issues that can be exploited without user authentication.

Oracle issued a massive update today to patch 88 security vulnerabilities, including dozens of remote code execution issues that can be exploited without user authentication.

The largest number of fixes was for Oracle’s Financial Services Software, with a total of 17 patches. The Oracle Sun products suite contains 15 patches, including five that are remotely exploitable without authentication. Among the Sun products, the most serious of the bugs is a vulnerability in the Oracle Grid Engine that scored a 9.0 out of a possible in 10 on the CVSS 2.0 scoring system. The most critical bug overall belonged to JRockit, Oracle’s proprietary Java Virtual Machine, which scored a 10 on the CVSS scale.

Oracle Security Updates“JRockit has been free since May 2011 and it is unclear how many organizations this will affect,” said Marcus Carey, security researcher at Rapid7. “JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.”

“IT security teams should warm up their coffee pots and espresso machines for today’s massive Oracle patch; they will be facing a long day and an even longer night,” said Lamar Bailey, director of security research at nCircle. “Oracle is releasing 88 patches, and a whopping 37 percent of them are remotely executable. Even worse, many of these don’t require login credentials.”

There were also 15 fixes for the Oracle PeopleSoft product suite; two for Oracle Industry applications; six for MySQL; one for the Oracle Primerva products suite; five for the Oracle Supply Chain products suite; four for the Oracle E-Business suite; six for Oracle Enterprise Manager Grid Control suite; and 11 for Oracle Fusion Middleware. There were also six patches for the Oracle Database software.

No Java update is on the menu in this release, as Oracle releases those updates on a separate schedule. Java vulnerabilities have been in the news lately due to well publicized attack campaigns such as the resurgence of the Mac OS X Flashback Trojan. The vulnerability targeted in that attack was closed by Oracle in February.

Qualys CTO Wolfgang Kandek called the release a “large update for Oracle software users,” and recommended addressing vulnerabilities on systems that are Internet accessible first.

“Most likely this will mean fixing Glassfish/iPlanet and Solaris vulnerabilities first, followed by MySQL,” he blogged. “Oracle RDBMS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all.”

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...