Patch/Configuration Management, Vulnerability Management

Oracle fixes 104 flaws in quarterly update, addresses Heartbleed bug

In addition to releasing security fixes for products vulnerable to the “Heartbleed bug,” Oracle has issued its quarterly Critical Patch Update (CPU) this week.

On Tuesday, the CPU addressed 104 flaws across Oracle product lines, including Java, Fusion Middleware and Oracle Database. Of note, the update plugged 37 holes impacting the popular Java browser plug-in.

In a Tuesday blog post, Eric Maurice, Oracle's director of software security assurance, wrote that four of the 37 Java vulnerabilities received a Common Vulnerability Scoring System (CVSS) base score of 10, the most critical ranking.

“Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities,” Maurice wrote.

He also noted that a critical flaw affecting Oracle Database could allow a “full compromise of the targeted system,” if an attacker is able to authenticate themselves as the victim.

Users also were advised to employ a patch for a vulnerability, CVE-2014-2470, in Oracle's WebLogic Server that could result in a “wide compromise” of the targeted server. The bug was remotely exploitable without authentication, Maurice added.

In addition to releasing its scheduled CPU, Oracle, on Wednesday, provided fixes for products affected by the Heartbleed bug (CVE-2014-0160)– a recently discovered vulnerability in widely used versions of the OpenSSL library that ultimately puts SSL/TLS encrypted communications at risk.

According to an Oracle advisory on the threat, a patch is now available for the following company products: MySQL Enterprise Monitor, MySQL Enterprise Server version 5.6, Oracle Communications Session Monitor, Oracle Linux 6, the Oracle Mobile Security Suite, and Solaris 11.2.

In the advisory, the company also included a list of 4.0 Oracle products that are likely vulnerable to the Heartbleed issue, but still await fixes. As a precaution, the company said that future product releases will no longer use the Heartbleed-impacted OpenSSL libraries.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.