The Inquirer-Home

Oracle to issue huge security patch addressing 36 Java vulnerabilities

144 flaws found across hundreds of Oracle products and components
Mon Jan 13 2014, 11:42
oracle

ENTERPRISE VENDOR Oracle will issue its first patch update of 2014 on Tuesday and it just so happens that it'll be one of its biggest ever that includes a slew of security patches, many of which address vulnerabilities in Java.

The Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products", Oracle said in its pre-release announcement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible."

Five of the security fixes will apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could be exploited over a network without the need for a username and password.

The patch update will be released on 14 January for Oracle products and components including JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.

The highest CVSS 2.0 Base Score for vulnerabilities in Oracle's Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.

Security firm Qualys' CTO Wolfgang Kandek warned that plug-ins like Java are one of the main threat vectors as more companies are being infected through web based attacks.

"One needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle's Java," Kandek said. "Java just suffered a widely published attack during the Yahoo Ad-based attacks from [December to January 2014], where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java."

He added that Oracle's critical patch update will "further tighten its security parameters". µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Dead electronic devices to be banned on US-bound flights

Will the new rules banning uncharged devices be effective?