Oracle Fixes 42 Java Flaws

Oracle delivered 170 patches yesterday, including 42 for its much-maligned Java programming environment.

Of the Java flaws, Oracle noted 39 of them were remotely exploitable without authentication, meaning IT teams should focus on those with haste. Another 19 of those received the most severe rating of 10.0.

Security experts have heaped opprobrium on Java in recent months, as its vulnerabilities have regularly been used by cyber criminals to infect users’ machines. Various attacks launched exploit kits via websites, which were able to load malware thanks to the many Java flaws those tools were armed with.

TechWeekEurope learned earlier this year that one flaw was selling on the dark markets for $100,000. It was only in February that Java had 50 flaws patched.

Java patched up

“Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited,” the software titan noted in a blog post, which pointed IT admins to the advisory page for this Java release.

Adam Gowdiak of Security Explorations, who has repeatedly uncovered zero-day Java flaws following previous patch updates, was one of the researchers credited with helping uncover the vulnerabilities.

Gowdiak told TechWeekEurope his long list of Java flaws had all been addressed by Oracle. Although he noted how a Java remote method invocation (RMI) flaw had taken almost eight years to be addressed by Oracle. “The Java SE CPU released yesterday finally incorporates a fix
for the RMI bug known to the vendor since 2005.”

Oracle also patched 128 other vulnerabilities across its product set, including hugely popular systems such as  Oracle Database Server, Oracle Fusion Middleware, MySQL and Siebel CRM. There are some critical patches with a top score of 10, affecting Database Server and Fusion Middleware.

IT teams with big Oracle estates should head here for the company’s advisory to kick off their patching.

What do you know about Internet security? Find out with our quiz!