Oracle issues massive quarterly update with Java fixes

Share this article:
Oracle on Tuesday released a massive quarterly security update with fixes for a number of enterprise products, as well as a separate batch of security fixes for Java.

The security update for Java included 29 fixes across Java SE and Java for Business products. Fifteen of the Java flaws earned the highest score of 10 on the company's Common Vulnerability Scoring System (CVSS).

The quarterly security update for enterprise products included 85 security fixes, 31 of which are for Oracle's newly acquired Sun Product Suite. Sixteen of the Sun bugs are remotely exploitable.

Alex Rothacker, manager of database protection vendor Application Security's research team, told SCMagazineUS.com on Wednesday that the update represents one of the largest ever for the database giant.

“Eighty-five is certainly bigger than anything they have done in the past,” Rothacker said. “On the database side, I would say it is business as usual.”

Seven fixes were doled out for the popular Database Server, though only one of the vulnerabilities is remotely exploitable. The most severe Database Server flaw that was patched earned a CVSS score of 7.5. It affects Oracle Enterprise Manager Grid Control, a tool used to manage Oracle databases, and may be exploited over a network without the need for a username and password. However, Oracle Enterprise Manager Grid Control is an optional component that is not used by everyone, Rothacker said.

Meanwhile, one vulnerability affecting Database Server is more severe than its score suggests, Rothacker said. CVE-2010-2415, an SQL injection vulnerability that received a CVSS score of 4.9, could allow the complete takeover of the database management system. Because of its severity, the flaw should have been given a much higher CVSS score, he added.

Tuesday's enterprise product update also included 21 fixes for the PeopleSoft and JDEdwards Suite, eight for Fusion Middleware, six for the E-Business Suite, four for the Siebel Suite, two for the Supply Chain Products Suite and one for the Primavera Products Suite. Rounding out the update, Oracle released four fixes for Oracle VM and a single patch for Enterprise Manager Grid Control.

This was a rare instance when security updates for Java were released in concert with ones for other Oracle products, Eric Maurice, manager for security in Oracle's global technology business unit, wrote in a blog post Tuesday.

Oracle recommended that customers apply the updates as soon as possible.

Share this article:

Sign up to our newsletters

More in News

Russian hacker Seleznev ordered to remain in custody

Roman Seleznev's attorneys requested that the hacker be released on bond, but their pleas were rejected this past week.

Bug in iOS Instagram app fixed, impacts Facebook accounts

The vulnerability comes into play when Instagram users search for Facebook friends to "follow."

AP denied security docs on HealthCare.gov, a risk to private information

AP denied security docs on HealthCare.gov, a risk ...

The Associated Press was denied a request made under the Freedom of Information Act for documents that contain security information on HealthCare.gov.