Feeds

Oracle drops shedload of CRITICAL vuln-busting Java patches

Sysadmins, look away - Oracle's biz suites have more holes than a Swiss cheese

Top 5 reasons to deploy VMware with Tegile

Oracle's autumn batch of quarterly updates included no fewer than 127 security fixes, including 51 for Java alone.

The arrival of the Critical Patch Update (CPU) from Oracle means pretty much all of the enterprise server packages from the software giant need patching.

Oracle Database Server, Oracle E-Business Suite, Oracle PeopleSoft Products, Oracle Siebel CRM, Oracle and Sun Systems Products Suite, Oracle Virtualization and Oracle MySQL all need security fixes for one reason or another. Many of the patched vulns allow attackers to gain remote unauthenticated access to marks' networks.

The October update marks the first occasion Oracle has patched Java on the same quarterly cycle as other products, a move that makes sense and is arguably overdue – Java updates previously arrived on a four month cycle.

The numerous Java updates are the most serious and pressing of of the whole batch, according to security experts.

"The update addresses 51 vulnerabilities, with 12 vulnerabilities having the highest CVSSv2 score of 10, indicating that these vulnerabilities can be used to take full control over the attacked machine over the network without requiring authentication," warns Wolfgang Kandek, CTO at cloud security firm Qualys in a blog post.

"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments,” adds Kandek, “with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."

Ross Barrett, senior manager of security engineering at vlun management biz Rapid7, said: "Aside from Java, it's mostly ho-hum, low impact stuff. There's a CVSS 8.5 vulnerability in MySQL's Enterprise Service manager, but besides the Java patches, nothing else jumps out as particularly interesting."

Chester Wisniewski, a senior security advisor at Sophos Canada, notes that some of the Java updates rely on operating system vendor support rather than auto-updates, a factor that further complicates the update process.

"[The] 51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser," Wisniewski explains. "Worse yet, all but one are remotely exploitable without authentication."

Wisniewski repeats what's become standard advice from security vendors: Java can be useful elsewhere but it doesn't belong in the browser, where it presents by far the greatest security risk.

"If you don't need Java, get rid of it. Java can be useful for applications (Minecraft, payroll, mortgage calculators) and server-side applications (JBoss and more), but it doesn't belong in your browser," Wisniewski writes. "If you're not sure, I recommend disabling it. If you run across things that require Java, your browser will alert you with instructions."

Kandek concurs with the advice that patching Java, moving to the latest version 7 where possible, ought to be the first order of business. Internet-facing servers and databases also need patching sooner rather than later, he adds.

"We recommend working in the following sequence: Java first, as it is the most attacked software in this release, then vulnerabilities on services that are exposed to the Internet, such as Weblogic, HTTP and others. Hopefully your databases are not directly exposed to the Internet, which should give you more time to bring them to the latest patch levels," Kandek advises. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha
A good day for privacy as invisble.im also reveals its approach to untraceable chats
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.