14 DAY TRIAL // The Critical Patch Update (CPU) pushed by Oracle on a quarterly basis includes security fixes for 14 vulnerabilities in Java, all of them exploitable from a remote location without requiring authentication.
Out of these, five have a severity score above 9.0, as per the CVSS (Common Vulnerability Scoring System), meaning that they are of critical importance and should represent a priority for system administrators.
Java 7 reaches end of life
CPU lists for Java three security flaws (CVE-2015-0469, CVE-2015-0459 and CVE-2015-0491) that received the maximum severity score of 10.0, which do not require a complex attack in order to be exploited.
The affected versions include Java 7, which will no longer receive public updates beyond the current ones, impacting businesses with applications depending on the platform.
According to Oracle JDK Support Roadmap, customers still relying on this version of Java who need access to general maintenance and security patches can get them via paid long-term support service offered by the company.
GHOST flaw in GNU libc library receives a fix
The total number of vulnerabilities addressed by this quarter’s CPU is 98 and the affected products include Oracle Database, Oracle Fusion Middleware, Oracle E-Business Suite, and Oracle MySQL.
Each of them receives patches for at least one significant security flaw that is rated above 9.0, based on CVSS. In the case of Database, the most severe issue received a score of 9.0, but only for Windows versions earlier than 12c. The same glitch has a score of 6.5 in Database 12c on all supported platforms.
Among the 17 patches for Fusion Middleware, one of them is for the GHOST vulnerability in GNU libc library, which affects Oracle Exalogic Infrastructure.
The update for MySQL integrates 26 fixes, but four of them received the maximum severity score, and just like in the case of Java, they are remotely exploitable without authentication.
Administrators are strongly recommended to apply the quarterly updates from Oracle as soon as they become available.
In a blog post from the company, Eric Maurice says that the “security fixes provided through the Critical Patch Update program are thoroughly tested to ensure that they do not introduce regressions across the Oracle stack.”