Incident Response, TDR, Vulnerability Management

Oracle releases out of cycle fix, Cisco patches six critical vulnerabilities

Oracle and Cisco Wednesday released security updates that addressed critical vulnerabilities in their respective products.  

Oracle released a security update outside its normal quarterly patch cycle to address a serious vulnerability affecting Java SE running in desktop web browsers.

The vulnerability can impact the availability, integrity, and confidentiality of the user's system and can be exploited over a network without the need for authentication, according to a Mar. 23 security advisory.

Affected products include Oracle Java SE 7 Update 97, and 8 Update 73 and 74 for Windows, Solaris, Linux, and Mac OS X.

Researchers said in the advisory that the vulnerability can be exploited if a user is running an affected version of the product in their browser and visits a malicious site that leverages the bug.

Tripwire's Vulnerability and Exposure Research Team security researcher Lane Thames said in comments emailed to SCMagazine.com that it's likely the exploits for the vulnerability will make their way into exploit kits and exploit frameworks soon.

He said the vulnerability was patched out of cycle because of its severity and because technical details of the vulnerability have been disclosed publicly.   

“I don't know this for sure, but I believe that the vulnerability fixed by this patch for CVE-2016-0636 is related to the public disclosure issued by Adam Gowdiak this month related to finding a partially fixed vulnerability from a few years ago for CVE-2013-5838,” Thames said.

Researchers said the vulnerability is not applicable to Java deployments and does not affect Oracle server-based software.

In other news, Cisco released its semiannual IOS and IOS XE security advisory that addressed a total of six high priority vulnerabilities in multiple products.

Five of the vulnerabilities could allow a remote attacker to create a denial-of-service (DoS) condition, while the last one was a data leak, according to a Mar. 23 US-CERT advisory.

Thames said DoS vulnerabilities are common in network equipment and often result from improper parsing or interpretation of data packets that lead to undefined states or transitions.

“Administrators can reduce their risk by ensuring that local area network devices are properly segmented and located behind organizational firewalls,” Thames said.

Anyone with an infected system is urged to update their products immediately. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.