The Latest in IT Security

Oracle Releases Massive Security Update

17
Apr
2014

Oracle just released a massive security update that covers 104 vulnerabilities across its product portfolio.

Thirty-seven of the vulnerabilities affect Oracle Java SE. According to Oracle’s advisory, 35 of these can be exploited remotely without authentication. Four of the bugs have a CVSS Base Score of 10, the most critical rating a bug can achieve.

“[Twenty-nine] of these 37 vulnerabilities affected client-only deployments, while 6 affected client and server deployments of Java SE,” blogged Eric Maurice, Oraclesoftware security assurance director. “Rounding up this count [was] one vulnerability affecting the Javadoc tool and one affecting unpack200. As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visitJava.comto ensure that they are running the most recent version of Java.Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes.”

“Oracle strongly recommends that Java users, particularly home users,keep up with Java releasesand remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities,” he added.

While Java SE took the lion’s share of fixes, other issues in Fusion Middleware and MySQL were addressed as well, noted Amol Sarwate, director of Qualys’ Vulnerability Labs.

“All vulnerabilities in the Fusion Middleware can be exploited over the web using HTTP, and 13 out of the 20 can be exploited remotely without authentication,” he blogged.

Fourteen security fixes are aimed at Oracle MySQL, including two that can be exploited remotely without authentication.

The update also includes: five fixes for Oracle Virtualization; three for Oracle and Sun Systems Products Suite; one in Oracle iLearning; one in Oracle Siebel CRM; eight in Oracle PeopleSoft products; 10 for the Oracle Supply Chain products suite; two for Oracle Database and three for Oracle Hyperion.

“Due to the relative severity of a number of the vulnerabilities fixed inthis Critical Patch Update(CPU), Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible,” blogged Maurice.

The next CPU is scheduled to be released July 15. In light of the Heartbleed vulnerability, Oracle also recently released a list of affected products and mitigations.

Tweet

Brian Prince is a Contributing Writer for SecurityWeek.Previous Columns by Brian Prince:Oracle Releases Massive Security UpdateSQL Injection Breaches Take Months to Uncover and Fix: SurveySurvey Highlights Communications Gap Between Security Pros and Senior ExecsGoogle Patches Android Icon Hijacking Vulnerability Phishers Target Vulnerable Shared Hosting Providers to Spread Attacks

sponsored links

Tags: NEWS INDUSTRY

Vulnerabilities

Comments are closed.

Categories

FRIDAY, MARCH 29, 2024
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments