Oracle's 193-Bug Patch Includes Zero-Day Fix

Oracle this week released its latest quarterly Critical Patch Update (CPU) that includes fixes for 193 issues across the company's product line.

One of the Java vulnerabilities (CVE-2015-2590 ) was reportedly already being exploited in the wild, which might account for Oracle's strongly worded admonition in its announcement:

"Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay." (Italics are Oracle's.)

CVE-2015-2590, which allowed remote attackers to affect confidentiality, integrity, and availability "via unknown vectors related to Libraries," was the first zero-day Java vulnerability to be reported in two years, according to security researchers at Trend Micro. The hacker group Pawn Storm (also known as APT28) had been using the zero-day exploit to target "certain armed forces of a NATO country and a U.S. defense organization," the researchers found. The hacker group is believed to be Russian.

Twenty-three of the Java vulnerabilities are remotely exploitable without authentication, explained Eric P. Maurice, director of Oracle's Software Security Assurance group, in an Oracle Security blog post. Sixteen of the Java SE fixes are for Java client-only; one is for the client installation of Java SE; and five are for client and server deployment.

This CPU also includes a fix specifically for the Mac platform, and four for the Java Secure Socket Extension (JSSE) client and server deployments.

Seven of the 25 Java vulnerabilities addressed in this CPU earned a CVSS rating of 10.0 -- very serious. Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. This CPU relied on the 2.0 version of that rating system, but version 3.0 is now available and will likely be used in the next quarterly update. The Forum of Incident Response and Security Teams (FIRST) announced the availability of CVSS 3.0 in June. The latest version has been under development for three years.

John Matthew Holt, CTO of Dublin-based Java security vendor Waratek, pointed out in an e-mail that, of the 25 CVEs fixed in this patch, 24 of them (96 percent) affect Java SE 8, the latest and most up-to-date Java version -- revealing, he said, that the security of Java's APIs has not significantly improved over time. He also noted that Java SE 7 is no longer being provided with public security updates. "So enterprises running Java SE 7 applications -- which is virtually every large enterprise today -- cannot automatically download and apply these important security fixes," he said.

With this CPU Oracle also provided patches for its other products, including Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

About the Author

John K. Waters is the editor in chief of a number of sites, with a focus on high-end development, AI and future tech. He's been writing about cutting-edge technologies and culture of Silicon Valley for more than two decades, and he's written more than a dozen books. He also co-scripted the documentary film Silicon Valley: A 100 Year Renaissance, which aired on PBS.  He can be reached at [email protected].


  • Phishing Tops Concerns in Microsoft Study of Remote Work

    Potential phishing attacks were a top concern of most IT security professionals when organizations switched to remote-work conditions early last year.

  • How To Configure Windows 10 for Intel Optane Memory

    Intel's Optane memory technology can significantly improve the performance of your Windows 10 system -- provided you enable it correctly. A single mistake can render the system unbootable. Here's how to do it the right way.

  • Microsoft and SAP Enhance Partnership with Teams Integration

    Microsoft and SAP this week described continuing partnership efforts on Microsoft Azure, while also planning a Microsoft Teams integration with SAP's enterprise resource planning product and other solutions.

  • Blue Squares Graphic

    Microsoft Previews Azure IoT Edge for Linux on Windows

    Microsoft announced a preview of Azure IoT Edge for Linux on Windows, which lets organizations tap Linux virtual machine processes that also work with Windows- and Azure-based processes and services.

comments powered by Disqus