Oracle just released a massive security update that covers 104 vulnerabilities across its product portfolio.
Thirty-seven of the vulnerabilities affect Oracle Java SE. According to Oracle’s advisory, 35 of these can be exploited remotely without authentication. Four of the bugs have a CVSS Base Score of 10, the most critical rating a bug can achieve.
“[Twenty-nine] of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE,” blogged Eric Maurice, Oracle software security assurance director. “Rounding up this count [was] one vulnerability affecting the Javadoc tool and one affecting unpack200. As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit Java.com to ensure that they are running the most recent version of Java. Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.”
“Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities,” he added.
While Java SE took the lion’s share of fixes, other issues in Fusion Middleware and MySQL were addressed as well, noted Amol Sarwate, director of Qualys’ Vulnerability Labs.
“All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication,” he blogged.
Fourteen security fixes are aimed at Oracle MySQL, including two that can be exploited remotely without authentication.
The update also includes: five fixes for Oracle Virtualization; three for Oracle and Sun Systems Products Suite; one in Oracle iLearning; one in Oracle Siebel CRM; eight in Oracle PeopleSoft products; 10 for the Oracle Supply Chain products suite; two for Oracle Database and three for Oracle Hyperion.
“Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update (CPU), Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible,” blogged Maurice.
The next CPU is scheduled to be released July 15. In light of the Heartbleed vulnerability, Oracle also recently released a list of affected products and mitigations.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- In Other News: New Analysis of Snowden Files, Yubico Goes Public, Election Hacking
- China’s Offensive Cyber Operations in Africa Support Soft Power Efforts
- Air Canada Says Employee Information Accessed in Cyberattack
- BIND Updates Patch Two High-Severity DoS Vulnerabilities
- Faster Patching Pace Validates CISA’s KEV Catalog Initiative
- SANS Survey Shows Drop in 2023 ICS/OT Security Budgets
- Apple Patches 3 Zero-Days Likely Exploited by Spyware Vendor to Hack iPhones
- New ‘Sandman’ APT Group Hitting Telcos With Rare LuaJIT Malware
