alphaspirit - Fotolia

Oracle Critical Patch Update features important Java SE updates

The latest Oracle Critical Patch Update includes fixes for close to 100 vulnerabilities, but one expert says there is a critical update for Java on the desktop that needs immediate attention.

The new Oracle Critical Patch Update addresses close to 100 vulnerabilities across a range of products, but one expert says none are more important than a critical update for Java SE.

Hot on the heels of Microsoft's April 2015 Patch Tuesday release, Redwood City, Calif.-based Oracle Corp. released its own Critical Patch Update (Oracle CPU) this week, which contains a total of 98 patches for a range of products, including MySQL, Fusion Middleware and PeopleSoft.

But according to Wolfgang Kandek, chief technology officer for security vendor Qualys Inc., based in Redwood Shores, Calif., it is a key Java SE update that needs immediate attention.

The Java SE update includes 14 patches in total. According to Eric Maurice, director of Oracle Software Security Assurance, 11 of the 14 vulnerabilities can only be exploited through sandboxed Web Start apps or Java applets, but details provided by Oracle in its Java SE Risk Matrix breakdown show all 14 vulnerabilities can be exploited remotely without authentication. Furthermore, the top six updates, for Java SE and/or JavaFX, have been given Common Vulnerability Scoring System base scores of 7.6 or higher on a 10-point scale, and can allow an attacker complete root-level access on an affected system.

Kandek's colleague Amol Sarwate, director of engineering at Qualys, noted the large threat surface of Java as the reason to focus on these fixes.

"Java can be run on workstations as well as on servers," Sarwate said, "so this Java update could be critical for both workstations as well as servers."

The Oracle CPU also features 17 total patches for Fusion Middleware, 12 of which can be remotely exploited without authentication. Foremost among them is CVE-2015-0235 for the Oracle Exalogic infrastructure, which fixes the headline-making GHOST vulnerability affecting Linux systems using GNU C Library (glibc) versions 2.2 and newer, which includes all glibc versions released since Nov. 10, 2000.

Kandek also noted that one of the patches for Fusion Middleware affects Oracle's Outside In Technology, which may also have an effect on Microsoft Exchange servers.

"There is also an update to Outside-In, which typically triggers an update to Microsoft's OWA [Outlook Web App] one month later," Kandek said, "so prepare your server team for an update to their Exchange server."

Oracle MySQL is the recipient of the largest batch of updates with 26, but only four of those can be exploited remotely without authentication. The highest-rated vulnerability here is CVE-2014-0112, affecting MySQL Enterprise Monitor, which can allow remote attackers to manipulate the ClassLoader and execute arbitrary code via a crafted request. According to the NVD listing, this vulnerability was first uncovered in April 2014.

Additionally, the Oracle CPU includes four fixes for the Oracle Database, four new fixes for Oracle E-Business Suite, seven for Oracle Supply Chain Suite, six for Oracle PeopleSoft Enterprise, one for Oracle JDEdwards EnterpriseOne, one for Oracle Siebel CRM, two for the Oracle Commerce Platform, two for Oracle Retail Industry Suite and one for Oracle Health Sciences Applications.

Next Steps

Learn more about using Patch Wizard to resolve Oracle EBS issues.

Dig Deeper on Microsoft Patch Tuesday and patch management