News

Oracle's Quarterly Patch Targets 113 Vulnerabilities

Oracle released its quarterly Critical Patch Update (CPU) on Tuesday with 113 security flaw fixes for multiple Oracle products, including 20 for Java Standard Edition (Java SE).

The Java security fixes address vulnerabilities that may be remotely exploitable without authentication—an attacker wouldn't need a user name or password to exploit them over a network. Oracle is providing fixes for 17 Java SE client vulnerabilities, 1 for a Java Secure Socket Extension vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-4227) in this patch update received the highest CVSS Base Score: 10.0. Seven of the other Java SE client vulnerabilities received a CVSS score of 9.3, which means that "a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is 'medium,'" Eric P. Maurice, director of Oracle's Software Security Assurance Group, explained in an Oracle Security blog posting.

Oracle is pointing home users to its download site for the most recent version of Java. The company is also recommending in this announcement that Windows XP users upgrade to a currently supported operating system. The company recently announced that it would no longer support Java on XP, though versions of Java earlier than Java SE 8 will still run on the fading OS. "Running unsupported operating systems, particularly one as prevalent as Windows XP, creates a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider," Maurice wrote.

The largest portion of this collection of patches for multiple security vulnerabilities -- 29 of them -- addresses problems found in Oracle Fusion Middleware, 27 of which also enable remote code execution. The list of Fusion Middleware components needing security patches includes the JDeveloper Java IDE, the GlassFish Communications Server, the iPlanet Web Server, and the WebLogic Server, among others. The CVSS score of this vulnerability was listed as 7.5. Fifteen of the security fixes in Patch Update apply to Oracle Virtualization (also 7.5 on the CVSS scale). And 10 new security fixes are coming for MySQL.

Oracle's previous quarterly patch update, issued in April, included 89 fixes. 

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on ADTmag.com, check out his author page on Amazon, or e-mail him at john@watersworks.com.


Featured

  • First Chromium-Based Edge Browser Beta Release Now Available

    Microsoft Edge Insider Program participants now have access to the Beta Channel release of Microsoft's Chromium-based Edge Web browser on the Windows and Mac platforms.

  • Microsoft Planning To Answer Windows Virtual Desktop Questions Next Week

    Microsoft has set aside time to answer questions about its emerging Windows Virtual Desktop service on Wednesday of next week, according to an announcement.

  • With EPYC Rome Chips, AMD Could Eclipse Intel in Datacenter

    AMD's high-profile EPYC 7002 launch has datacenter analysts wondering if the end of Intel's long reign is nigh.

  • Microsoft Buys jClarity for Azure-Based Java Workloads

    In a bid to support its "continued contributions to open source while driving increased performance for Java workloads on Azure," Microsoft on Monday announced its acquisition of jClarity.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.