Oracle Plugs 113 Security Holes, 20 for Java
Oracle's latest quarterly Critical Patch Update (CPU), released today, included 113 new security vulnerability fixes for hundreds of Oracle products. Among those fixes, 20 are aimed at Java Standard Edition (Java SE).
The Java security fixes address vulnerabilities that may be remotely exploitable without authentication—an attacker wouldn't need a user name or password to exploit them over a network. Oracle is providing fixes for 17 Java SE client vulnerabilities, 1 for a Java Secure Socket Extension vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server.
Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-4227) in this patch update received the highest CVSS Base Score: 10.0. Seven of the other Java SE client vulnerabilities received a CVSS score of 9.3, which means that "a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is 'medium,'" Eric P. Maurice, director of Oracle's Software Security Assurance Group, explained in an Oracle Security blog posting.
Oracle is pointing home users to its download site for the most recent version of Java. The company is also recommending in this announcement that Windows XP users upgrade to a currently supported operating system. The company recently announced that it would no longer support Java on XP, though versions of Java earlier than Java SE 8 will still run on the fading OS. "Running unsupported operating systems, particularly one as prevalent as Windows XP, creates a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider," Maurice wrote.
The largest portion of this collection of patches for multiple security vulnerabilities -- 29 of them -- addresses problems found in Oracle Fusion Middleware, 27 of which also enable remote code execution. The list of Fusion Middleware components needing security patches includes the JDeveloper Java IDE, the GlassFish Communications Server, the iPlanet Web Server, and the WebLogic Server, among others. The CVSS score of this vulnerability was listed as 7.5. Fifteen of the security fixes in Patch Update apply to Oracle Virtualization (also 7.5 on the CVSS scale). And 10 new security fixes are coming for MySQL.
Oracle's previous quarterly patch update, issued in April, included 89 fixes.