Oracle slings 193 patches, nixes exploited Java zero day
Unauthenticated remote code execution among grizzly vulns.
Oracle has poured cold coffee on a recent Java zero-day that's already under active attack, with just one of the critical patches it's released to address 193 holes in its sprawling product suite.
The zero day is the most urgent fix of the lot and of the two dozen other Java patches present among Big Red's quarterly patch release.
Trend Micro researchers Brooks Li and Feike Hacquebord reported the flaw 13 July noting it is being attacked as part of the sophisticated 'Operation PawnStorm' hacking campaign.
Oracle software security assurance director Eric Maurice says the critical patch updates address 13 products.
"Twenty three of these Java SE vulnerabilities are remotely exploitable without authentication [and] 16 are for Java client-only, including one fix for the client installation of Java SE," Maurice says.
"Five of the Java fixes are for client and server deployment [and] one fix is specific to the Mac platform.
"And four fixes are for JSSE client and server deployments. Please note that this Critical Patch Update also addresses a recently announced 0-day vulnerability (CVE-2015-2590), which was being reported as actively exploited in the wild."
The update fixes product families including Oracle Database; Fusion Middleware; Hyperion; Enterprise Manager; E-Business Suite; Supply Chain Suite; PeopleSoft Enterprise; Siebel CRM; Communications Applications; Java SE; Sun Systems Products Suite; Linux and Virtualisation, and MySQL.
Of these 44 are for third-party components included in Oracle products distributions.
Maurice says CVE-2015-2629 is the most severe database vulnerability rated nine for Windows and 6.5 for Linux and Unix.
Oracle Fusion Middleware receives 39 fixes of which 36 address remotely exploitable vulnerabilities without authentication topping a severity score of 7.5.
The now patched zero day was revealed as part of the brutal fallout from the Hacking Team in which 400Gb of emails and source code was published online.
Three since patched then zero day Adobe Flash vulnerabilities were discovered from that cache. ®