Database giant Oracle has released a record number of security patches in its latest slew of updates, including critical fixes for Java
In its latest Patch Update Advisory, the company strongly urged customers to apply all outstanding patches – immediately – following reports of successful attacks against Oracle software. The patches run the whole gamut of Oracle software, including Database Server versions 11 and 12, Fusion Middleware and Applications, WebLogic Portal and Server, Micros retail software, PeopleSoft and JD Edwards business applications, and Java SE.
“Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” it advised.
Eric Maurice, director of Oracle Software Security Assurance, used a blog post to explain the severity of the flaws that the patches will fix.
“Out of these 169 vulnerabilities, eight are for the Oracle Database. None of these database vulnerabilities are remotely exploitable without authentication, but a number of these vulnerabilities are relatively severe. The most severe of these database vulnerabilities (CVE-2014-6567) has received a CVSS Base Score of 9.0 to denote that a full compromise of the targeted server is possible on the Windows platform (for versions prior to Database 12c) but requires authentication,” he wrote.
He added that out of 19 vulnerabilities in Java, 15 affected client-only installations, two client and server installations and two affected JSSE.
“This relatively low historical number for Oracle Java SE fixes reflects the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organisation,” he claimed.
Indeed, after a blizzard of severe security flaws affecting Java, the company promised to fix once-and-for-all the security problems plaguing the application.
“The plan for Java security is really simple, it’s to get Java fixed up, number one; and then number two is to communicate our efforts widely. We can’t really have one without the other. No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have to fix Java,” said Oracle’s head of Java security, Milton Smith, in a conference call with Java User Group leaders – in January 2013.