Risk
10/16/2013
10:21 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Oracle Issues Massive Security Patch For Java, Databases

Oracle's quarterly update includes 127 security patches, including fixes for remotely exploitable Java flaws.

Oracle on Tuesday released 127 security fixes for its products, including 51 patches for Java, as part of its quarterly critical patch update (CPU).

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible," according to the distribution page for the fixes.

Vulnerabilities detailed in the security bulletin affect all versions of Java (versions 5, 6 and 7), as well as Oracle Database 11g and 12c, Fusion Middleware, Enterprise Manager, E-Business Suite, Flexcube Products Suite, Oracle's Health Sciences and Retail Products suites, Primavera, PeopleSoft, Siebel and MySQL.

While Oracle's critical patch update fixes only recent versions of many of those programs, the company said that older, unsupported versions may have the same bugs. "It is likely that earlier versions of affected releases are also affected by these vulnerabilities," Oracle said. "As a result, customers are recommended to upgrade to supported versions."

[ For more Oracle news, see Oracle OpenWorld: 5 Rants And Raves . ]

Which bugs should information security managers squash first? "All of these updates are important, but arguably Java is the most important of all of them," said Chester Wisniewski, a senior security advisor at Sophos Canada, in a blog post.

Indeed, of the 51 Java patches, 50 involve remotely exploitable vulnerabilities, and an equal number of flaws affect Java applets or Java WebStart, which allows Java apps to be run from the browser. Finally, 12 of the Java bugs score a "10" on the CVSSv2 vulnerability index, meaning they can be remotely exploited by an attacker to seize full control of a PC.

The Java vulnerabilities affect both client-side and server-side Java. "The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being Web browsing and malicious Web pages," said Wolfgang Kandek, CTO of Qualys, in a blog post. "But there are two highly critical vulnerabilities that also apply to server installations -- CVE-2013-5782 and CVE-2013-5830."

Java 7 update 45 is now the latest version of the software. "You should update as quickly as possible on your desktop and laptop machines," said Kandek.

For people still using Java 6 -- or any prior version -- the security advice is to upgrade immediately, or else take steps to safeguard the machine, especially since related attacks will no doubt start soon. "Java 6 is also vulnerable to 11 of the 12 highly critical vulnerabilities, but there are no more public patches for Java 6," Kandek said. "The recommended action for Java 6 here is to upgrade to Java 7, if possible. If you cannot upgrade, I would recommend [that you] isolate the machine that needs Java 6 running and not use it for any other activities that connect it to the Internet, such as e-mail and browsing."

The Java 7 patches are good news for businesses and consumers that still rely on the Web browser plug-in, and Wisniewski at Sophos lauded Oracle's decision to patch all of its products -- including Java -- at the same time. "This is the first time Oracle is patching Java on the same quarterly cycle as other products, and perhaps the first time I have had something positive to say about Oracle security," he said.

On that note, however, he also argued that Oracle still has a long way to go to get its security house in order, despite the company having already delayed the release of Java 8 in April to dedicate more resources on improving Java 7 security.

"I heard that Oracle won the America's Cup recently which leads me to give them some unsolicited advice," said Wisniewski. "Put the award on the shelf in your lobby, sell the $10 million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash. Three-plus billion devices will thank you."

Oracle's next quarterly patch update is scheduled for January 14, 2014.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zman7
50%
50%
Zman7,
User Rank: Apprentice
10/16/2013 | 5:42:46 PM
re: Oracle Issues Massive Security Patch For Java, Databases
It's sad that all this time and effort has to be wasted on security instead of productive things - all because of idiots and criminals in the world.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web