#1 Trusted Cybersecurity News Platform
Followed by 5.20+ million
The Hacker News Logo
Subscribe – Get Latest News

Oracle Vulnerability | Breaking Cybersecurity News | The Hacker News

Category — Oracle Vulnerability
Highly Critical Flaw (CVSS Score 10) Lets Hackers Hijack Oracle Identity Manager

Highly Critical Flaw (CVSS Score 10) Lets Hackers Hijack Oracle Identity Manager

Oct 31, 2017
A highly critical vulnerability has been discovered in Oracle's enterprise identity management system that can be easily exploited by remote, unauthenticated attackers to take full control over the affected systems. The critical vulnerability tracked as CVE-2017-10151, has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction, Oracle said in its advisory  published Monday without revealing many details about the issue. The vulnerability affects Oracle Identity Manager (OIM) component of Oracle Fusion Middleware—an enterprise identity management system that automatically manages users' access privileges within enterprises. The security loophole is due to a "default account" that an unauthenticated attacker over the same network can access via HTTP to compromise Oracle Identity Manager. Oracle has not released complete details of the vulnerability in an effort to prevent exploitation in the wild, but here the "def...
Oracle Ordered to Publicly Admit Misleading Java Security Updates

Oracle Ordered to Publicly Admit Misleading Java Security Updates

Dec 22, 2015
Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack. And for this reason, Oracle is now paying the price. Oracle has been accused by the US government of misleading consumers about the security of its Java software. Oracle is settling with the Federal Trade Commission (FTC) over charges that it " deceived " its customers by failing to warn them about the security upgrades. Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing. Oracle Left Over 850 Million PCs at Risk The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs u...
Want to Grow Vulnerability Management into Exposure Management? Start Here!

Want to Grow Vulnerability Management into Exposure Management? Start Here!

Dec 05, 2024Attack Surface / Exposure Management
Vulnerability Management (VM) has long been a cornerstone of organizational cybersecurity. Nearly as old as the discipline of cybersecurity itself, it aims to help organizations identify and address potential security issues before they become serious problems. Yet, in recent years, the limitations of this approach have become increasingly evident.  At its core, Vulnerability Management processes remain essential for identifying and addressing weaknesses. But as time marches on and attack avenues evolve, this approach is beginning to show its age. In a recent report, How to Grow Vulnerability Management into Exposure Management (Gartner, How to Grow Vulnerability Management Into Exposure Management, 8 November 2024, Mitchell Schneider Et Al.), we believe Gartner® addresses this point precisely and demonstrates how organizations can – and must – shift from a vulnerability-centric strategy to a broader Exposure Management (EM) framework. We feel it's more than a worthwhile read an...
Oracle releases 169 Updates, Including 19 Patches for JAVA Vulnerabilities

Oracle releases 169 Updates, Including 19 Patches for JAVA Vulnerabilities

Jan 21, 2015
Get Ready to update your Java program as Oracle has released its massive patch package for multiple security vulnerabilities in its software. The United States software maker Oracle releases its security updates every three months on Tuesday, which it referred to as " Critical Patch Updates " (CPU). Yesterday, Oracle released its first quarterly CPU-date of this year, issuing a total of 169 security fixes for hundreds of its products including Java, Fusion Middleware, Enterprise Manager and MySQL. The security update for Oracle's popular browser plug-in Java addresses vulnerabilities in the software, 14 of which could be remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network. Four Java flaws were marked most severe and received a score of 10.0 on the Common Vulnerability Scoring System (CVSS) , the most critical ranking. Nine other Java flaws given a CVSS Base Score of 6.0 ...
cyber security

Innovate Securely: Top Strategies to Harmonize AppSec and R&D Teams

websiteBackslashApplication Security
Tackle common challenges to make security and innovation work seamlessly.
Researcher Uncovers Vulnerability Oracle Data Redaction Security Feature

Researcher Uncovers Vulnerability Oracle Data Redaction Security Feature

Aug 09, 2014
Oracle's newly launched Data Redaction security feature in Oracle Database 12c can be easily disrupted by an attacker without any need to use exploit code, a security researcher long known as a thorn in Oracle's side said at Defcon. Data Redaction is one of the new Advanced Security features introduced in Oracle Database 12c. The service is designed to allow administrators to automatically protect sensitive data, such as credit card numbers or health information, during certain operations by either totally obscuring column data or partially masking it. But according to David Litchfield , a self-taught security researcher who found dozens and dozens of critical vulnerabilities in Oracle's products, a close look at this Data Redaction security feature help him found a slew of trivially exploitable vulnerabilities that an attacker don't even need to execute native exploit code to defeat the feature. David Litchfield is a security specialist at Datacomm TSS and th...
Update Your Java to Patch 20 Vulnerabilities Or Just Disable it

Update Your Java to Patch 20 Vulnerabilities Or Just Disable it

Jul 16, 2014
Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company's products. The security update for Oracle's popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network. MOST CRITICAL ONE TO PATCH FIRST Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most "critical" rating according to Oracle's Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near. Although, numerous other Oracle products and software components addressed in the latest security updates, which address ...
ORACLE Subdomain Page Defaced by Indian Hacker

ORACLE Subdomain Page Defaced by Indian Hacker

Apr 23, 2014
A group of Indian Hackers dubbed as I-HOS TEAM has successfully defaced a page on the sub domain of Oracle Corporation, biggest provider of enterprise software, computer hardware and Services. The users visiting the domain are being greeted with a custom webpage with black background and the theme song of an Indian Movie " BOSS ". The defacement page is displaying a logo with title " IHOS - Indian Hackers Online Squad " with a quotation for all the Indian hackers shows, " LOVE TO ALL INDIAN HACKERS OUT THERE. " Neither the website nor the server was actually compromised, but the Hacker going by online alias 'Bl@Ck Dr@GoN', actually found a page on the Oracle website that allows him to inject HTML/JavaScript code into the Oracle University Electronic Attendance webpage in order to modify the content, as shown in the screenshot provided to The Hacker News: Hacker told THN that anyone is able to edit the Student name on the website and can insert any code, which is not san...
Unfixed Reflection API vulnerability reported in Java

Unfixed Reflection API vulnerability reported in Java

Apr 23, 2013
Founder and CEO of Security Explorations of Poland,  Adam Gowdiak has reported a new unpatched security vulnerability in JAVA that affects all Java versions, including 7u21 released last Tuesday. Gowdiak claims to have sent to Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), notifying them of the new security weakness. " It can be used to achieve a complete Java security sandbox bypass on a target system ," Vulnerability allows attackers to completely bypass the language's sandbox to access the underlying system. Gowdiak has not published any further details about the vulnerability in order to give Oracle time to patch the problem. Last week's Oracle patch update repaired many issues plaguing the platform. Java 7 Update 21 contains 42 new security fixes for Oracle Java SE. A majority of these flaws are browse-to–a-hacked-site-and-get-infected vulnerabilities. According to Oracle, " 3...
New Java exploit sells for $5000 on Black market

New Java exploit sells for $5000 on Black market

Jan 17, 2013
We continues to recommend users disable the Java program in their Web browsers, because it remains vulnerable to attacks that could result in identity theft and other cyber crimes and less than 24 hours after Oracle Sunday released a security update that addresses two critical zero-day vulnerabilities in Java that are being actively exploited by attackers, an online vulnerability seller began offering a brand-new Java bug for sale. According to a report , a Java exploits was being advertised for $5,000 a piece in an underground Internet forum and the new zero-day vulnerability was apparently already in at least one attacker's hands. The thread has since been deleted from the forum indicating a sale has been made, something sure to bring more concern to Oracle.Oracle can't predict the future, and its engineers obviously can't predict what exploits are going to be found in its software. The most recent hold Java fixed allowed hackers to enter a computer by using compro...
Latest Java vulnerability exploitation leads to ransomware

Latest Java vulnerability exploitation leads to ransomware

Nov 10, 2012
Imagine someone getting access to your computer, encrypting all your family photos and other priceless files, and then demanding a ransom for their safe return. That is what ransomware is all about. Symantec's latest research report suggests police-themed ransomware could be a replacement to the once-lucrative fake antivirus scareware trade. According to  report , Ransomware distributors are raking in around $5 million dollars a year and the spoils are being spread among just 16 crime groups. Symantec's estimates suggest a significant but not yet thriving crime business, which delivers each operation, on average, $300,000 a year. Reticently identified Oracle Java SE Remote Java Run time Environment vulnerability (  CVE-2012-5076 ) leads to  Geo located   Ransomware Malware . Java vulnerability actually can allows attacker to unauthorized disclosure of information, unauthorized modification and disruption of service. This R...
Expert Insights / Articles Videos
Cybersecurity Resources