Oracle has pushed out a massive security update
, including critical fixes for Java SE and the Oracle Sun Systems Products Suite.
Overall, the update
contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware.
Twenty-eight of these may be remotely exploitable without authentication
and can possibly be exploited over a network without the need for a username and password.
One exploit is that there is still
no way of authenticating Java downloads, either a download through HTTPS or a hash fingerprint of the file, accessible via HTTPS.
This used to exist up until ~2 years ago, but now it's all insecure (the download can include drive-by malware).
Overall, the update
contains nearly 170 new security vulnerability fixes, including 36 for Oracle Fusion Middleware. Twenty-eight of these may be remotely exploitable without authentication and can possibly be exploited over a network without the need for a username and password.The most serious of the bugs however impact Java SE, Fujitsu M10-1, M10-4 and M10-4S. In the case of Java SE, a CVSS Base Score of 10.0 was reported for four distinct client-only vulnerabilities (CVE-2014-6601; CVE-2015-0412; CVE-2014-6549; and CVE-2015-0408).
"Out of these [Java] 19 vulnerabilities, 15 affect client-only installations, 2 affect client and server installations, and 2 affect JSSE installations," blogged Oracle Software Security
Assurance Director Eric Maurice.
"This relatively low historical number for Oracle Java SE fixes reflect the results of Oracle's strategy for addressing security bugs affecting Java clients and improving security development practices in the Java development organization."
In the case of the Oracle Sun Systems Products Suite, CVE-2013-4784 has a CVSS rating of 10.0 and affects XCP Firmware versions prior to XCP 2232. Overall, there are 29 security fixes for the suite.
The update also includes eight new security fixes for Oracle Database Server, none of which are remotely exploitable without authentication.
Oracle MySQL has nine security fixes. There are also:
- 10 fixes for Oracle Enterprise Manager Grid Control;
- 10 for Oracle E-Business Suite;
- 6 for the Oracle Supply Chain Products Suite;
- 7 security fixes for Oracle PeopleSoft products;
- 17 for Oracle Siebel CRM;
- 1 for Oracle JD Edwards Products;
- 2 for Oracle iLearning;
- 2 for Oracle Communications Applications;
- 1 for Oracle Retail Applications;
- 1 for Oracle Health Sciences Applications
- 11 new security fixes for Oracle Virtualization