News

Oracle's Quarterly Patch Targets 113 Vulnerabilities

Oracle released its quarterly Critical Patch Update (CPU) on Tuesday with 113 security flaw fixes for multiple Oracle products, including 20 for Java Standard Edition (Java SE).

The Java security fixes address vulnerabilities that may be remotely exploitable without authentication—an attacker wouldn't need a user name or password to exploit them over a network. Oracle is providing fixes for 17 Java SE client vulnerabilities, 1 for a Java Secure Socket Extension vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-4227) in this patch update received the highest CVSS Base Score: 10.0. Seven of the other Java SE client vulnerabilities received a CVSS score of 9.3, which means that "a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is 'medium,'" Eric P. Maurice, director of Oracle's Software Security Assurance Group, explained in an Oracle Security blog posting.

Oracle is pointing home users to its download site for the most recent version of Java. The company is also recommending in this announcement that Windows XP users upgrade to a currently supported operating system. The company recently announced that it would no longer support Java on XP, though versions of Java earlier than Java SE 8 will still run on the fading OS. "Running unsupported operating systems, particularly one as prevalent as Windows XP, creates a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider," Maurice wrote.

The largest portion of this collection of patches for multiple security vulnerabilities -- 29 of them -- addresses problems found in Oracle Fusion Middleware, 27 of which also enable remote code execution. The list of Fusion Middleware components needing security patches includes the JDeveloper Java IDE, the GlassFish Communications Server, the iPlanet Web Server, and the WebLogic Server, among others. The CVSS score of this vulnerability was listed as 7.5. Fifteen of the security fixes in Patch Update apply to Oracle Virtualization (also 7.5 on the CVSS scale). And 10 new security fixes are coming for MySQL.

Oracle's previous quarterly patch update, issued in April, included 89 fixes. 

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on ADTmag.com, check out his author page on Amazon, or e-mail him at john@watersworks.com.


Featured

  • Windows 10 Mobile To Fall Out of Support in December

    Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

  • Get More Out of Your Outlook Inbox with TakeNote

    Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

  • Microsoft Resumes Rerelease of Windows 10 Version 1809

    Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

  • Microsoft Ups Its Windows 10 App Compatibility Assurances

    Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

comments powered by Disqus
Most   Popular

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.