Oracle Fixes 20 Remotely Exploitable Java SE Vulns

  /     /     /  
Publicated : 22/11/2024   Category : security


Oracle Fixes 20 Remotely Exploitable Java SE Vulns


Quarterly update for October is the smallest of the year: only 252 flaws to fix! Oracle advises to apply patches without delay.



Oracle this week urged administrators to apply security patches to their systems more quickly even as it increased their burden with a set of fresh fixes for another 252 vulnerabilities across products including Oracle Database Server and Java SE.
Tuesdays
critical patch update
(CPU) is Oracles first since news of the Equifax breach and of serious vulnerabilities in the widely used WPA2 WiFi security protocol, and separately, in numerous products featuring a particular crypto chipset from Infineon.
In its patch availability announcement, Oracle did not specifically call out these incidents as heightening the urgency for organizations to apply its CPUs more promptly. Instead as it usually does, Oracle more generally cautioned customers about periodic reports it receives about intruders successfully breaking into organizations by exploiting vulnerabilities for which the company has already issued patches.
Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay, the company noted.
Big as Octobers CPU is, it is actually smaller than Oracles last one in July when the company announced fixes for 310 flaws and the one before in April that involved patches for 300 vulnerabilities.
Commenting
on the security update, application security vendor Waratek said the CPU contains fixes for bugs in the Java Virtual Machine and five additional components in Oracles Database Server. Two of the patched flaws are remotely exploitable without the need for any credentials.
Oracles October CPU also patches 22 Java SE vulnerabilities, says Chris Goettl, product manager at Ivanti
.
Twenty of these may be remotely exploited without requiring authentication, Goettl says.
What this means is an attacker with a foothold in your environment just needs to be able to resolve a system with one of these vulnerabilities exposed and they would not even need to have a credential to exploit it
.
Unlike Microsofts monthly updates, Oracle releases its security patches once every three months. So the October update is the last one for this year. Up to now in 2017, Oracle has fixed a total of 79 vulnerabilities in Java SE or more than double the 37 it addressed last year, Waratek noted. The sharp increase suggests that Oracle is paying more attention to find flaws in Java SE. But it also underscores the growing risk that the Java platform poses for organizations, the vendor observed in its commentary.
“While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws, Waratek security architect Apostolos Giannakidis said in the guide. This CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application.
James Lee, executive vice president and chief marketing officer at Waratek, says the key takeaway here is that patching quickly is vital. The bad guys have been banging away since the CPU was released looking for the flaws that can be remotely exploited, he notes.
The Oracle CPU is an all-or-nothing patch, so an organization has to apply everything at once, he adds. Between configuration, coding and testing, it can take weeks or months for an organization to fully deploy such updates. So these dont tend to be fast fixes, Lee says.
Patch teams are already under tremendous pressure dealing with new and previously released patches from Oracle, Microsoft, IBM and others while ensuring their organizations are protected against the Apache Struts vulnerability that felled Equifax. Patch teams also have their hands full ensuring their organizations are protected against the WPA2 flaw and the factorization bug in the Infineon chipset, Lee notes. When you layer legacy software on top of that, the teams charged with keeping apps safe are overwhelmed with the task.
Related content:
Securitys #1 Problem: Economic Incentives
                                 
Factorization Bug Exposes Millions Of Crypto Keys To ROCA Exploit
Secure Wifi Hijacked by KRACK Vulns in WPA2
9 Ways Organizations Sabotage Their Own Security: Lessons from the Verizon DBIR
 
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity
agenda here
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Oracle Fixes 20 Remotely Exploitable Java SE Vulns