Vulnerabilities / Threats
11:02 AM
Connect Directly
Repost This

Oracle To Patch 73 Critical Vulnerabilities

Microsoft, Apple, and Adobe have all issued bug fixes recently, and now Oracle is patching Oracle Fusion Middleware, the Sun Products Suite, the Open Office Suite, and other products.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Oracle on Tuesday plans to fix 73 critical bugs, affecting hundreds of its products, as part of its next quarterly patch update.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," according to the company's pre-release patch announcement issued Friday. Many of the vulnerable components are in security software.

The most severe vulnerabilities involve Oracle Fusion Middleware, the Sun Products Suite, and the Open Office Suite. The Sun Products Suite will get 18 security fixes, seven of which can be remotely exploited without authentication. Affected components include Solaris, Sun Java System Access Manager Policy Agent, and OpenSSO Enterprise.

Fusion Middleware will see nine security fixes, six of which can be remotely exploitable without authentication. Affected components include Single Sign On, Oracle WebLogic Server, Oracle Security Service, and Oracle HTTP Server.

Open Office Suite will get eight fixes, seven of which can be exploited remotely. On a related note, on Friday, Oracle announced that it's dropping the commercial version of, turning it into a purely open source, community-driven project. "Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis," said Edward Screven, Oracle's chief corporate architect, in a statement.

On Tuesday, Oracle also will release patches for critical vulnerabilities in Database Server, E-Business Suite, Enterprise Manager Grid Control, Identity Management, JD Edwards, PeopleSoft, Siebel CRM, Supply Chain Products Suite, and WebLogic Server.

Also on the patch front, Adobe on Friday released a fix for a zero-day vulnerability in Adobe Flash Player that's being actively exploited by attackers via malicious websites and emails. According to Adobe, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform."

Affected software versions include Adobe Flash Player version and earlier for Windows, Macintosh, Linux, and Solaris; version and earlier for Chrome; and version and earlier for Android. In addition, Adobe Air version 2.6.19120 and earlier--for Windows, Macintosh and Linux--got a patch.

Adobe said that by April 25, it will release patches for other software products affected by the vulnerability, which include Adobe Acrobat X for Windows and Macintosh, Reader X for Macintosh, and Adobe Reader 9.4.3 (and earlier 9.x versions) for Windows and Macintosh.

Also on Friday, Apple released several security updates: OS X Security Update 2011-002, Safari 5.0.5, and iOS 4.3.2 (or for Verizon, 4.2.7). Among other features, all contain hard-coded fixes for the bogus security certificates issued last month by Comodo.

Finally, the Oracle, Adobe, and Apple patches follow on the heels of last week's massive Patch Tuesday, in which Microsoft released 17 separate security bulletins detailing 64 software bugs.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web