Oracle released its first Critical Patch Update (CPU) for 2015 on Jan. 20, providing its customers with patches for 169 security vulnerabilities.
Thirty-six of the fixed flaws are in Oracle’s Fusion Middleware products, with Oracle noting that 28 of the flaws may be remotely exploitable without authentication, meaning that an attacker could exploit the issues without the use of a username and password.
The Oracle Sun Systems product suite is being patched for 29 security issues, with 10 of those issues identified as being remotely exploitable without authentication. The Sun Systems product suite includes the Solaris Unix operating system that Oracle gained by way of its 2010 acquisition of Sun Microsystems.
Oracle also gained the Java platform through the Sun acquisition, which is also being patched in the January CPU. In total, 19 security Java vulnerabilities were patched, 14 of which are remotely exploitable without authentication. Four of the Java vulnerabilities are rated by Oracle as having the highest possible CVSS (Common Vulnerability Scoring System) score of 10.0.
“While this is a relatively low number of critical vulnerabilities in Java, it demonstrates that Java security issues are far from being over,” Barry Shteiman, director of security strategy at Imperva, told eWEEK. “Companies and products that rely on Java as a core platform should take proper security measures to ensure that it is used securely.”
In a blog post, Eric Maurice, director of Oracle Software Security Assurance, also commented on the improving state of Java security at Oracle.
“This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle’s strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization,” Maurice wrote.
In addition to patching vulnerabilities in Java itself, with the new update Oracle is now also protecting its Java users from the POODLE Secure Sockets Layer (SSL) vulnerability. POODLE was first disclosed by Google in October 2014 as a flaw in the legacy SSLv3.0 protocol for encrypting Web traffic. Oracle is now disabling SSLv3.0 as of the January CPU.
Security researcher David Litchfield reported six of the 169 fixed vulnerabilities, including a particularly dangerous backdoor flaw in the Oracle eBusiness suite. The flaw is identified as CVE-2015-0393 and was first reported by Litchfield on June 11, 2014.
“In certain versions of eBusiness suite, the PUBLIC role is granted the INDEX privilege on the DUAL table owned by SYS allowing anyone to create an index on this table,” Litchfield explained in his advisory. “Anyone with a vulnerable eBusiness suite web server connected to the internet is potentially exposed to this as it is possible to chain multiple vulnerabilities to exploit this without a username and password.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.