Get Ready to update your Java program as Oracle has released its massive patch package for multiple security vulnerabilities in its software.
The United States software maker Oracle releases its security updates every three months on Tuesday, which it referred to as "Critical Patch Updates" (CPU). Yesterday, Oracle released its first quarterly CPU-date of this year, issuing a total of 169 security fixes for hundreds of its products including Java, Fusion Middleware, Enterprise Manager and MySQL.
The security update for Oracle’s popular browser plug-in Java addresses vulnerabilities in the software, 14 of which could be remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network.
Four Java flaws were marked most severe and received a score of 10.0 on the Common Vulnerability Scoring System (CVSS), the most critical ranking. Nine other Java flaws given a CVSS Base Score of 6.0 or higher.
"Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches," Oracle said in a pre-release announcement. "Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."
The other most severe ratings of CVSS base score 10.0 belong to Fujitsu M10-1 of Oracle Sun Systems Products Suite, M10-4 of Oracle Sun Systems Products Suite, and M10-4S Servers of Oracle Sun Systems Products Suite.
Eight vulnerabilities in Oracle database were also addressed in the recent release, including CVE-2014-6567, which received a CVSS Base Score of 9.0, as it allows a full compromise of the targeted server on the Windows platform with authentication. None of the database vulnerabilities could be remotely exploitable without authentication.
A total of 10 security updates have been included for Oracle E-Business Suite, including one assigned CVE-2015-0393 discovered and reported to Oracle this past year by Australian researcher David Litchfield, which could have granted administrator privileges to lower-level users.
Six security fixes have been included for Oracle Supply Chain Suite, 7 for Oracle PeopleSoft Enterprise, 1 for Oracle JDEdwards EnterpriseOne, 17 for Oracle Siebel CRM, and 2 for Oracle iLearning. Oracle's MySQL received 9 security fixes, 3 of which could be remotely exploitable without authentication, and the most critical bug, CVE-2015-0411, had a base score of 7.5.
In total, 36 new fixes have been issued for Oracle Fusion Middleware products, and the most severe bug, CVE-2011-1944, received a rating of 9.3 that affects Oracle HTTP Server. Two of the Oracle Fusion Middleware vulnerabilities fixed in this CPU can result in a server takeover.
The company also provided 29 fixes for the Oracle Sun Systems Products Suite, 10 of which could be remotely exploitable without authentication. One bug, CVE-2013-4784, received the highest CVSS base score of 10.0. This particularly nasty flaw affects XCP Firmware versions prior to XCP 2232. Another bug, CVE-2014-4259, received a rating of 9.0.
You can see the full list of affected software from here. The next CPU date is 14 April 2015. Stay Safe! Stay Tuned!