News

Oracle's Quarterly Patch Targets 113 Vulnerabilities

Oracle released its quarterly Critical Patch Update (CPU) on Tuesday with 113 security flaw fixes for multiple Oracle products, including 20 for Java Standard Edition (Java SE).

The Java security fixes address vulnerabilities that may be remotely exploitable without authentication—an attacker wouldn't need a user name or password to exploit them over a network. Oracle is providing fixes for 17 Java SE client vulnerabilities, 1 for a Java Secure Socket Extension vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-4227) in this patch update received the highest CVSS Base Score: 10.0. Seven of the other Java SE client vulnerabilities received a CVSS score of 9.3, which means that "a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is 'medium,'" Eric P. Maurice, director of Oracle's Software Security Assurance Group, explained in an Oracle Security blog posting.

Oracle is pointing home users to its download site for the most recent version of Java. The company is also recommending in this announcement that Windows XP users upgrade to a currently supported operating system. The company recently announced that it would no longer support Java on XP, though versions of Java earlier than Java SE 8 will still run on the fading OS. "Running unsupported operating systems, particularly one as prevalent as Windows XP, creates a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider," Maurice wrote.

The largest portion of this collection of patches for multiple security vulnerabilities -- 29 of them -- addresses problems found in Oracle Fusion Middleware, 27 of which also enable remote code execution. The list of Fusion Middleware components needing security patches includes the JDeveloper Java IDE, the GlassFish Communications Server, the iPlanet Web Server, and the WebLogic Server, among others. The CVSS score of this vulnerability was listed as 7.5. Fifteen of the security fixes in Patch Update apply to Oracle Virtualization (also 7.5 on the CVSS scale). And 10 new security fixes are coming for MySQL.

Oracle's previous quarterly patch update, issued in April, included 89 fixes. 

About the Author

John K. Waters is the editor in chief of a number of Converge360.com sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].


Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus