Security Experts:

Connect with us

Hi, what are you looking for?


Data Protection

Oracle Releases Massive Security Update for 88 Vulnerabilities

Oracle issued a massive update today to patch 88 security vulnerabilities, including dozens of remote code execution issues that can be exploited without user authentication.

Oracle issued a massive update today to patch 88 security vulnerabilities, including dozens of remote code execution issues that can be exploited without user authentication.

The largest number of fixes was for Oracle’s Financial Services Software, with a total of 17 patches. The Oracle Sun products suite contains 15 patches, including five that are remotely exploitable without authentication. Among the Sun products, the most serious of the bugs is a vulnerability in the Oracle Grid Engine that scored a 9.0 out of a possible in 10 on the CVSS 2.0 scoring system. The most critical bug overall belonged to JRockit, Oracle’s proprietary Java Virtual Machine, which scored a 10 on the CVSS scale.

Oracle Security Updates“JRockit has been free since May 2011 and it is unclear how many organizations this will affect,” said Marcus Carey, security researcher at Rapid7. “JRockit is considered middleware, which means it operates on servers to run Java applications. This remote code execution vulnerability requires no authentication and is rated as a low level attack vector. The low attack vector rating means that it would be easy to exploit over a network or Internet. This exploit will result in total compromise of the confidentiality, integrity, and availability of a victim’s system.”

“IT security teams should warm up their coffee pots and espresso machines for today’s massive Oracle patch; they will be facing a long day and an even longer night,” said Lamar Bailey, director of security research at nCircle. “Oracle is releasing 88 patches, and a whopping 37 percent of them are remotely executable. Even worse, many of these don’t require login credentials.”

There were also 15 fixes for the Oracle PeopleSoft product suite; two for Oracle Industry applications; six for MySQL; one for the Oracle Primerva products suite; five for the Oracle Supply Chain products suite; four for the Oracle E-Business suite; six for Oracle Enterprise Manager Grid Control suite; and 11 for Oracle Fusion Middleware. There were also six patches for the Oracle Database software.

No Java update is on the menu in this release, as Oracle releases those updates on a separate schedule. Java vulnerabilities have been in the news lately due to well publicized attack campaigns such as the resurgence of the Mac OS X Flashback Trojan. The vulnerability targeted in that attack was closed by Oracle in February.

Qualys CTO Wolfgang Kandek called the release a “large update for Oracle software users,” and recommended addressing vulnerabilities on systems that are Internet accessible first.

“Most likely this will mean fixing Glassfish/iPlanet and Solaris vulnerabilities first, followed by MySQL,” he blogged. “Oracle RDBMS can probably be addressed last as these systems tend to be installed in internal networks or well firewalled if they are connected to the Internet at all.”

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...


A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...