Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Database

    Oracle Patches 144 New Security Vulnerabilities to Start 2014

    By
    SEAN MICHAEL KERNER
    -
    January 15, 2014
    Share
    Facebook
    Twitter
    Linkedin

      The new year is starting off with a bang for Oracle, at least in terms of security updates. In sharp contrast to Microsoft, which today released just four security bulletins, Oracle fixed a staggering 144 new vulnerabilities spread across its software portfolio as part of its quarterly Critical Patch Update (CPU).

      At the top of the list with the most fixed vulnerabilities and widespread impact are 36 security fixes for Oracle’s Java. Oracle first began to include Java security fixes as part of its main CPU release in October of 2013. At that time, Oracle fixed a total of 127 vulnerabilities, with Java accounting for 51 of them.

      With the January crop of Java vulnerabilities, 34 of the 36 flaws are remotely exploitable without user authentication, making them among the most dangerous types of software flaws. Going a step further, Oracle has ranked five of the new Java vulnerabilities as having the highest possible Common Vulnerability Scoring System (CVSS) score of 10.

      Java is among the most attacked and the most patched piece of software in use today. Multiple vendors, including Hewlett-Packard and Kaspersky Lab, reported a surge in Java attacks during 2013. According to Kaspersky, between March and August of 2013, there were at least 8.54 million Java exploit attacks. Brian Gorenc, manager of the Zero Day Initiative at Hewlett-Packard Security Research, spoke at length about Java exploits during a Black Hat USA 2013 session. While Java zero-day exploits are responsible for some attacks, the majority are attacks against vulnerabilities that Oracle has already patched in a public update, though users have not yet updated their own systems.

      “Unfortunately, with Java being an enterprise platform, there are many software vendors that only support the older (exploitable) versions of Java,” Tommy Chin, technical support engineer at Core Security, told eWEEK. “Companies who own and depend of this type of software are locked down from upgrading because the upgrade will break their existing production Java application.”

      Chin suggests that for those who can’t upgrade, they should make sure access control lists are highly audited and access to the Java applications are internal facing and only exposed via virtual private networks (VPNs).

      In addition to Java, Oracle’s Fusion Middleware Suite is being patched for multiple vulnerabilities. In total, Oracle is patching 22 security flaws in Fusion, of which 19 are remotely exploitable without user authentication and only a single flaw carries a CVSS score of 10.

      The Oracle and Sun Systems products suite, which includes the Solaris Unix operating system, is receiving 11 patches, with only one of them being remotely exploitable. Oracle now separately breaks out fixes for the MySQL database, which came to Oracle by way of its acquisition of Sun in 2010. MySQL is being fixed for 18 security vulnerabilities, with only one receiving the highest CVSS score of 10.

      In contrast to MySQL, Oracle’s namesake database is only receiving five security fixes, and only one of the flaws is remotely exploitable without user authentication.

      While the Java updates have a high priority, so too do the other fixes, Ken Pickering, director of engineering at Core Security, told eWEEK.

      “The truth is many Oracle products are in a lot of places, holding or standing in front of a lot of critical data,” Pickering said. “It’s imperative to keep these particular applications up to date, since many of them are business-critical.”

      Pickering added that the fact that the Oracle applications are business critical deployments, typically makes it even more difficult to perform maintenance on them.

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×