The New Year starts with a bang Oracle, at least in terms of security updates. In stark contrast to Microsoft, which today published only four security bulletins, Oracle set a staggering 144 new vulnerabilities spread across its range of software as part of its quarterly Critical Patch Update (CPU).
Topping the list of vulnerabilities and the impact of widespread fixed 36 security fixes for Oracle Java. Oracle has started to include security measures as part of the Java version of their main CPU in October 2013. At that time, Oracle has established a total of 127 vulnerabilities in Java that represents 51 of the same.
With the increasing vulnerability of Java January 34 of the 36 defects are remotely exploitable without authentication of the user, then one of the most dangerous types of software defects. Going a step further, Oracle has classified five new vulnerabilities in Java to have the highest possible Common Vulnerability Scoring System (CVSS) score of 10.
Java is one of the pieces more targeted and more suitable software in use today. Several manufacturers, including Hewlett – Packard and Kaspersky Lab, have reported an increase in attacks against Java in 2013. According to Kaspersky , between March and August 2013, there were at least 8.54 million Java exploits attacks. Responsible for the Zero Day Initiative, Hewlett – Packard Safety Research, spoke at length about the exploits of Java during a Black Hat USA 2013. Although Java zero-day exploits are responsible for some of the attacks, most of the attacks are against vulnerabilities that Oracle has patched in a public update, even if users have not updated their systems.
” Unfortunately, being an enterprise Java platform , there are many software vendors that only support older versions ( usable) of Java, ” Tommy Chin , Technical Support at Core Security , told eWEEK . “The companies that own and depend on this type of software are blocked by reordering, because the update will break their existing production Java applications.”
Chin suggests that for those who cannot perform the upgrade, you must check the access control lists are tightly controlled and access to Java applications are facing internal and exposed only through virtual private networks (VPNs).
In addition to Java, Oracle Fusion Middleware Suite is patches for multiple vulnerabilities. Overall, Oracle patched 22 security vulnerabilities in the merger, including 19 remotely exploitable without authentication of the user and a single defect leads to a CVSS score of 10.
The suite of Oracle and Sun Systems products, including the Solaris operating system UNIX, receiving 11 patches, only one of which is remotely exploitable. Oracle breaks now separate corrections for the MySQL database, which came to Oracle through the acquisition of Sun in 2010. MySQL has been scheduled for 18 security vulnerabilities, only one receives the highest CVSS score of 10.
Unlike MySQL, the database with the same name is always just five security patches from Oracle, and only one of the faults is remotely exploitable without authentication of the user.
While Java updates are a priority, so other corrections, Ken Pickering, director of engineering at Core Security, told eWEEK .
” The truth is that many of Oracle’s products are found in many places, holding or standing in front of a lot of critical data. “It’s important to keep these particular applications to date, as many of them are critical to the business.”
Pickering said the fact that Oracle applications are business-critical implementations, in general, it is even more difficult to perform maintenance