Oracle released its first quarterly Critical Patch Update (CPU) of the year on Tuesday, issuing 169 security fixes for hundreds of its products.
Vulnerabilities in the company's browser plug-in Java received 19 patches, 14 of which could be remotely exploitable without authentication. Four Java bugs were given a CVSS Base Score of 10.0, the most critical ranking. Nine other CVEs had scores of 6.0 or higher.
"Four out-of-every five identified CVEs in the CPU can be exploited for full or partial sandbox bypass," said John Matthew Holt, CTO at Waratek, in a prepared statement to SCMagazine.com. "It is a modern day paradox that Java technology, which rocketed to prominence on the promise of its 'secure sandbox' design, is vulnerable to 16 new sandbox bypasses. That represents one new Java sandbox bypass every 120 hours since the last CPU."
Eight vulnerabilities in Oracle database were also addressed in the recent release, including CVE-2014-6567, which received a CVSS Base Score of 9.0, signaling that a full compromise of a targeted server could be possible on the Windows platform with authentication. None of the database vulnerabilities could be remotely exploitable without authentication.
Four other database vulnerabilities ranked above a 6.0, and CVE-2014-6577 received a rating of 6.8. If exploited, it could result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform.
A separate bug in the E-Business Suite, CVE-2015-0393, could have granted administrator privileges to lower-level users. Australian researcher David Litchfield discovered and reported the vulnerability to Oracle this past year. He found it during a review of a client's system and believed it to be a backdoor left behind after a hack. In actuality, the “backdoor” turned out to be part of a seeded installation, which left him “flabbergasted,” according to his Twitter. In a further write-up of the bug, Litchfield said that Oracle, “has no documentation for why they did this. This is very concerning.”
Oracle's MySQL received nine fixes, three which could be remotely exploitable without authentication. The most critical bug, CVE-2015-0411, had a base score of 7.5.
The company also issued 29 fixes for its Sun Systems Products Suite, 10 of which could be remotely exploitable without authentication. One bug, CVE-2013-4784, received a 10.0 rating and another, CVE-2014-4259, received a 9.0.