Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

Oracle To Patch 73 Critical Vulnerabilities

Microsoft, Apple, and Adobe have all issued bug fixes recently, and now Oracle is patching Oracle Fusion Middleware, the Sun Products Suite, the Open Office Suite, and other products.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Oracle on Tuesday plans to fix 73 critical bugs, affecting hundreds of its products, as part of its next quarterly patch update.

"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," according to the company's pre-release patch announcement issued Friday. Many of the vulnerable components are in security software.

The most severe vulnerabilities involve Oracle Fusion Middleware, the Sun Products Suite, and the Open Office Suite. The Sun Products Suite will get 18 security fixes, seven of which can be remotely exploited without authentication. Affected components include Solaris, Sun Java System Access Manager Policy Agent, and OpenSSO Enterprise.

Fusion Middleware will see nine security fixes, six of which can be remotely exploitable without authentication. Affected components include Single Sign On, Oracle WebLogic Server, Oracle Security Service, and Oracle HTTP Server.

Open Office Suite will get eight fixes, seven of which can be exploited remotely. On a related note, on Friday, Oracle announced that it's dropping the commercial version of OpenOffice.org, turning it into a purely open source, community-driven project. "Given the breadth of interest in free personal productivity applications and the rapid evolution of personal computing technologies, we believe the OpenOffice.org project would be best managed by an organization focused on serving that broad constituency on a non-commercial basis," said Edward Screven, Oracle's chief corporate architect, in a statement.

On Tuesday, Oracle also will release patches for critical vulnerabilities in Database Server, E-Business Suite, Enterprise Manager Grid Control, Identity Management, JD Edwards, PeopleSoft, Siebel CRM, Supply Chain Products Suite, and WebLogic Server.

Also on the patch front, Adobe on Friday released a fix for a zero-day vulnerability in Adobe Flash Player that's being actively exploited by attackers via malicious websites and emails. According to Adobe, "there are reports that this vulnerability is being exploited in the wild in targeted attacks via a malicious Web page, or a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment, targeting the Windows platform."

Affected software versions include Adobe Flash Player version 10.2.153.1 and earlier for Windows, Macintosh, Linux, and Solaris; version 10.2.154.25 and earlier for Chrome; and version 10.2.156.12 and earlier for Android. In addition, Adobe Air version 2.6.19120 and earlier--for Windows, Macintosh and Linux--got a patch.

Adobe said that by April 25, it will release patches for other software products affected by the vulnerability, which include Adobe Acrobat X for Windows and Macintosh, Reader X for Macintosh, and Adobe Reader 9.4.3 (and earlier 9.x versions) for Windows and Macintosh.

Also on Friday, Apple released several security updates: OS X Security Update 2011-002, Safari 5.0.5, and iOS 4.3.2 (or for Verizon, 4.2.7). Among other features, all contain hard-coded fixes for the bogus security certificates issued last month by Comodo.

Finally, the Oracle, Adobe, and Apple patches follow on the heels of last week's massive Patch Tuesday, in which Microsoft released 17 separate security bulletins detailing 64 software bugs.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.