Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database

    Oracle Patches 144 New Security Vulnerabilities to Start 2014

    By
    Sean Michael Kerner
    -
    January 15, 2014
    Share
    Facebook
    Twitter
    Linkedin

      The new year is starting off with a bang for Oracle, at least in terms of security updates. In sharp contrast to Microsoft, which today released just four security bulletins, Oracle fixed a staggering 144 new vulnerabilities spread across its software portfolio as part of its quarterly Critical Patch Update (CPU).

      At the top of the list with the most fixed vulnerabilities and widespread impact are 36 security fixes for Oracle’s Java. Oracle first began to include Java security fixes as part of its main CPU release in October of 2013. At that time, Oracle fixed a total of 127 vulnerabilities, with Java accounting for 51 of them.

      With the January crop of Java vulnerabilities, 34 of the 36 flaws are remotely exploitable without user authentication, making them among the most dangerous types of software flaws. Going a step further, Oracle has ranked five of the new Java vulnerabilities as having the highest possible Common Vulnerability Scoring System (CVSS) score of 10.

      Java is among the most attacked and the most patched piece of software in use today. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. According to Kaspersky, between March and August of 2013, there were at least 8.54 million Java exploit attacks. Brian Gorenc, manager of the Zero Day Initiative at Hewlett-Packard Security Research, spoke at length about Java exploits during a Black Hat USA 2013 session. While Java zero-day exploits are responsible for some attacks, the majority are attacks against vulnerabilities that Oracle has already patched in a public update, though users have not yet updated their own systems.

      “Unfortunately, with Java being an enterprise platform, there are many software vendors that only support the older (exploitable) versions of Java,” Tommy Chin, technical support engineer at Core Security, told eWEEK. “Companies who own and depend of this type of software are locked down from upgrading because the upgrade will break their existing production Java application.”

      Chin suggests that for those who can’t upgrade, they should make sure access control lists are highly audited and access to the Java applications are internal facing and only exposed via virtual private networks (VPNs).

      In addition to Java, Oracle’s Fusion Middleware Suite is being patched for multiple vulnerabilities. In total, Oracle is patching 22 security flaws in Fusion, of which 19 are remotely exploitable without user authentication and only a single flaw carries a CVSS score of 10.

      The Oracle and Sun Systems products suite, which includes the Solaris Unix operating system, is receiving 11 patches, with only one of them being remotely exploitable. Oracle now separately breaks out fixes for the MySQL database, which came to Oracle by way of its acquisition of Sun in 2010. MySQL is being fixed for 18 security vulnerabilities, with only one receiving the highest CVSS score of 10.

      In contrast to MySQL, Oracle’s namesake database is only receiving five security fixes, and only one of the flaws is remotely exploitable without user authentication.

      While the Java updates have a high priority, so too do the other fixes, Ken Pickering, director of engineering at Core Security, told eWEEK.

      “The truth is many Oracle products are in a lot of places, holding or standing in front of a lot of critical data,” Pickering said. “It’s imperative to keep these particular applications up to date, since many of them are business-critical.”

      Pickering added that the fact that the Oracle applications are business critical deployments, typically makes it even more difficult to perform maintenance on them.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×