Oracle urges users to adhere 113 patches pronto
It’s been over two months since Java 8 officially launched - and now the platform can ‘celebrate’ its first ever patches - though fortunately, this is all routine. Oracle have just released the latest in its quarterly Critical Patch Update (CPU) series, totalling 113 fixes, for a range of products across the software giant’s ecosystem.
Compared to January’s mammoth drop - 144 fixes, 36 of these to address malware capable of targeting vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication, this is a fairly light load. Thanks to the San Franciscan oligarch’s April emergency Heartbleed surgery, there’s not a huge emphasis on addressing the mega-bug in this big push.
For Java, there are 20 vulnerabilities to be tended to, all of them on client side Java, i.e. on workstations that execute applets (could have seen that one coming) and Java web start applications. As Wolfgang Kandek notes, the most most pressing issue is CVE-2014-4227 with a CVSS score of 10.0 (the highest possible under the current rating system) which affects Java 6, 7 and also youthful version 8. On top of this, there are a further seven vulnerabilities that have a CVSS score of 9.3 that are considered critical.
There are also ten plugs for Oracle MySQL, and patches for the Oracle RDBMS, 15 fixes for Oracle’s virtualization related wares (seven of these in VirtualBox), and remedies for Oracle Fusion Middleware, which mainly groups all of the Oracle application servers: Glassfish, Weblogic, iPlanet and HTTP. 29 vulnerabilities all-in-all, with the highest severity of 7.5 found in CVE-2013-1741.
With Java’s well publicized security issues, cyber criminals have honed in on the platform, even managing to penetrate Java 7’s native layer in the past year. With hacks for the software bundled in many popular ExploitKits, we don’t have to tell you that it should be a top priority to get these patches in place as soon as possible.