Oracle plugs severe security holes that put systems at hijack risk

The company patched vulnerabilities affecting Java, its databases, enterprise applications and middleware

Oracle fixed on Tuesday 127 security issues in Java, its database and other products, patching some flaws that could let attackers take over systems.

This is the first time Oracle has included Java in its quarterly Critical Patch Update (CPU), as part of the company's previously announced plan to increase the frequency of Java security releases from one every four months to one every three months.

The new Java SE 7 Update 45 (7u45) version released Tuesday contains 51 of the 127 security fixes in this CPU. Fifty of those fixes address vulnerabilities that can be exploited remotely without authentication and 12 of them have the highest possible severity rating which means they can be used to take complete control of the underlying operating system.

Out of 51 vulnerabilities patched in this Java security update, 40 affect only client deployments which include the frequently targeted Java Web browser plug-in and 8 affect both client and server deployments.

These vulnerabilities can be exploited through Java Web Start applications or Java applets, and, in the case of flaws that also affect server deployments, by sending data to application program interfaces (APIs) in the vulnerable components.

Two other Java vulnerabilities addressed in this release affect sites that run the Javadoc tool as a service and host the resulting documentation. The Javadoc tool is used to create HTML documentation files.

The last vulnerability affects jhat, a developer tool that can be used to perform Java heap analysis.

The other 76 security fixes in this CPU that are not related to Java address vulnerabilities in the following Oracle product families: Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle iLearning, Oracle industry Applications, Oracle FLEXCUBE, Oracle Primavera, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization and Oracle MySQL.

Two vulnerabilities were addressed in the Oracle Database Server and both can be exploited remotely without authentication and can result in partial compromise of data confidentiality. Fixing one of them requires customers to enable network encryption between their clients and servers if data is sent over untrusted networks, Eric Maurice, Oracle's director of software assurance, said in a blog post.

In addition to these two vulnerabilities, two others that apply to Oracle Fusion Middleware also apply to database deployments.

Tables listing the exact number of vulnerabilities patched in each product, their severity score and the product versions they affect are included in Oracle's CPU advisory for October.

In addition to Java 7 Update 45, Oracle also released Java 6 Update 65 and Java 5 Update 55 that address the vulnerabilities that also apply to those older versions. However, Oracle discontinued public support for both Java 5 and 6, so these new security updates are only available to customers with extended support contracts.

"In order to address efficiently such a large patch release with over 120 vulnerabilities, we recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others," Wolfgang Kandek, CTO of vulnerability management firm Qualys, said Tuesday in a blog post. "Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels."

Join the CSO newsletter!

Error: Please check your email address.

Tags patchessecuritypatch managementExploits / vulnerabilitiesOraclequalys

More about LinuxMySQLOraclePeopleSoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place