News

Oracle Adds Critical Patch for Java Cloud Service

• By John K. Waters
• April 22, 2014

Oracle has followed up its quarterly Critical Patch Update (CPU) with an additional security advisory for its Java Cloud Service. According to the company, the security issues covered by the additional advisory did not affect Java SE, which was covered in the company's quarterly update, but only the company's platform for developing and deploying business applications in the cloud.

Oracle issued the CPU after Security Explorations, a Polish security and vulnerability research company, published details of 30 flaws in the cloud service it claimed to have found. But Oracle spokespeople have insisted that the revelations did not prompt the CPU follow up.

"Note that the combination of this announcement with the release of the April 2014 Critical Patch Update is not coincidental or the result of the unfortunate public disclosure of exploit code," insisted Eric P. Maurice, director of Oracle Software Security Assurance, on that group's blog, "but rather the result of the need to coordinate the release of related fixes for our on-premise customers." 

Oracle's most recent CPU was a big one, comprising 104 new security fixes for a range of Oracle products, including 37 Java SE vulnerabilities—4 of which earned a Common Vulnerability Scoring System (CVSS) rating of 10.0, which is very high and marks them as critical. Twenty-nine of those Java SE vulnerabilities affected client-only deployments, six affected both client and server deployments, one affected the Javadoc tool, and one affected unpack200 (the JAR unpacking tool). The vulnerabilities with the high CVSS rating can be exploited remotely without authentication to compromise the host operating system.

Oracle also issued a security alert (Security Alert CVE-2014-0160) and patch following the public unveiling of Heartbleed, a serious vulnerability in OpenSSL, the open source cryptographic library. Heartbleed could allow attackers to read the memory of systems protected by the affected versions of OpenSSL over a network -- no need or a user name or password. Oracle implemented OpenSSL in many of its products. Heartbleed earned a relatively low CVSS rating of 5.0, which Maurice has pointed out "denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities." A fixed version of that crypto library is now available

The list of Oracle products covered by the recent CPU includes Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Oracle advised its customers to apply the latest CPU immediately "due to the relative severity of a number of the vulnerabilities fixed."