Oracle fixes 104 flaws in quarterly update, addresses Heartbleed bug

Share this article:
With the update, users can employ a patch for a TIFF zero-day.
Oracle's Critical Patch Update (CPU) plugged 37 holes in the popular Java browser plug-in.

In addition to releasing security fixes for products vulnerable to the “Heartbleed bug,” Oracle has issued its quarterly Critical Patch Update (CPU) this week.

On Tuesday, the CPU addressed 104 flaws across Oracle product lines, including Java, Fusion Middleware and Oracle Database. Of note, the update plugged 37 holes impacting the popular Java browser plug-in.

In a Tuesday blog post, Eric Maurice, Oracle's director of software security assurance, wrote that four of the 37 Java vulnerabilities received a Common Vulnerability Scoring System (CVSS) base score of 10, the most critical ranking.

“Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities,” Maurice wrote.

He also noted that a critical flaw affecting Oracle Database could allow a “full compromise of the targeted system,” if an attacker is able to authenticate themselves as the victim.

Users also were advised to employ a patch for a vulnerability, CVE-2014-2470, in Oracle's WebLogic Server that could result in a “wide compromise” of the targeted server. The bug was remotely exploitable without authentication, Maurice added.

In addition to releasing its scheduled CPU, Oracle, on Wednesday, provided fixes for products affected by the Heartbleed bug (CVE-2014-0160)– a recently discovered vulnerability in widely used versions of the OpenSSL library that ultimately puts SSL/TLS encrypted communications at risk.

According to an Oracle advisory on the threat, a patch is now available for the following company products: MySQL Enterprise Monitor, MySQL Enterprise Server version 5.6, Oracle Communications Session Monitor, Oracle Linux 6, the Oracle Mobile Security Suite, and Solaris 11.2.

In the advisory, the company also included a list of 4.0 Oracle products that are likely vulnerable to the Heartbleed issue, but still await fixes. As a precaution, the company said that future product releases will no longer use the Heartbleed-impacted OpenSSL libraries.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Information sharing requires breaking down barriers, White House cyber guru says

Information sharing requires breaking down barriers, White House ...

The White House has advanced an agenda to promote and facilitate information sharing on security threats and vulnerabilities.

Worm variant of Android ransomware, Koler, spreads via SMS

Worm variant of Android ransomware, Koler, spreads via ...

Upon infection, the Koler variant will send an SMS message to all contacts in the device's address book.

Patch for Windows flaw can be bypassed, prompts temporary fix from Microsoft

Patch for Windows flaw can be bypassed, prompts ...

The Windows zero-day received a patch last week, but the fix can still be bypassed by crafty attackers.