Oracle Patches 169 Vulnerabilities in January Update
Oracle fixes security flaws across its software portfolio, including ones in its database, e-business suite, Solaris and Java.Oracle released its first Critical Patch Update (CPU) for 2015 on Jan. 20, providing its customers with patches for 169 security vulnerabilities. Thirty-six of the fixed flaws are in Oracle's Fusion Middleware products, with Oracle noting that 28 of the flaws may be remotely exploitable without authentication, meaning that an attacker could exploit the issues without the use of a username and password. The Oracle Sun Systems product suite is being patched for 29 security issues, with 10 of those issues identified as being remotely exploitable without authentication. The Sun Systems product suite includes the Solaris Unix operating system that Oracle gained by way of its 2010 acquisition of Sun Microsystems. Oracle also gained the Java platform through the Sun acquisition, which is also being patched in the January CPU. In total, 19 security Java vulnerabilities were patched, 14 of which are remotely exploitable without authentication. Four of the Java vulnerabilities are rated by Oracle as having the highest possible CVSS (Common Vulnerability Scoring System) score of 10.0.
"While this is a relatively low number of critical vulnerabilities in Java, it demonstrates that Java security issues are far from being over," Barry Shteiman, director of security strategy at Imperva, told eWEEK. "Companies and products that rely on Java as a core platform should take proper security measures to ensure that it is used securely."