ENTERPRISE VENDOR Oracle will issue its first patch update of 2014 on Tuesday and it just so happens that it’ll be one of its biggest ever that includes a slew of security patches, many of which address vulnerabilities in Java.
The Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products”, Oracle said in its pre-release announcement. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
Five of the security fixes will apply to Oracle Database Server. One of these vulnerabilities might be remotely exploitable without authentication, meaning it could be exploited over a network without the need for a username and password.
The patch update will be released on 14 January for Oracle products and components including JavaFX, versions 2.2.45 and earlier, Java JDK and JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded, versions 7u45 and earlier.
The highest CVSS 2.0 Base Score for vulnerabilities in Oracle’s Critical Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle FLEXCUBE Private Banking of Oracle Financial Services Software and Oracle WebCenter Sites of Oracle Fusion Middleware.
Security firm Qualys’ CTO Wolfgang Kandek warned that plug-ins like Java are one of the main threat vectors as more companies are being infected through web based attacks.
“One needs to pay attention to the browser plug-ins, and in that class, the most important is Oracle’s Java,” Kandek said. “Java just suffered a widely published attack during the Yahoo Ad-based attacks from [December to January 2014], where the Magnitude exploit kit was used to deliver malware to users that were running an outdated version of Java.”
He added that Oracle’s critical patch update will “further tighten its security parameters”.