News

Oracle Issues 169 Security Fixes, 19 for Java

• By John K. Waters
• January 23, 2015

Oracle's latest quarterly Critical Patch Update (CPU), released this week, provided 169 new security vulnerability fixes across Oracle's product lines, including 19 for Java.

This CPU dealt with fewer Java vulnerabilities than the last one, which provided patches for 25 security holes in Java SE and 9 in the Java Virtual Machine (JVM). Eric P. Maurice, director of Oracle's Software Security Assurance group, remarked on this quarter's lower vulnerabilities count on his group's blog.

"This relatively low historical number for Oracle Java SE fixes reflects the results of Oracle's strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization," he wrote.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. Four of the Java SE vulnerabilities addressed in this CPU (CVE-2014-6601, CVE-2015-0412, CVE-2014-6549, and CVE-2015-0408) received the highest CVSS Base Score of 10.0. These were among the 15 affecting client-only installations. Two others affect client and server installations, and two affect installations of the Java Secure Socket Extension (JSSE).

A CVSS ranking of 9.0 or higher means the vulnerability could allow a complete compromise of a targeted client, though the access complexity to exploit these vulnerabilities is considered "medium."

Maurice also noted that, with this CPU, Oracle will change the behavior of Java SE by disabling by default the use of SSL 3.0, which is considered an obsolete protocol, and which has been "widely targeted" by malicious hackers, thanks to the POODLE vulnerability (CVE-2014-3566), which the company addressed in October's CPU. "Organizations should disable the use of all versions of SSL as they can no longer rely on SSL to ensure secure communications between systems," he added.

The list of Oracle product families covered by this update also includes: the Oracle Database, Fusion Middleware, Enterprise Manager, E-Business Suite, Supply Chain Suite, PeopleSoft Enterprise, JDEdwards EnterpriseOne, Siebel CRM, iLearning, Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Eight of the vulnerabilities addressed in this CPU were found in the Oracle Database. None of the database vulnerabilities are remotely exploitable without authentication, Oracle said, but also noted that a number of them are "relatively severe -- including CVE-2014-6567, which received a CVSS Base Score of 9.0.

In its CPU advisory, Oracle admonished users to apply the security patches soon: "Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."