Fixing Oracle's Latest Zero-Day and 193 Other Vulnerabilites

Updated on August 19, 2016 by UpGuard

Fixing Oracle by UpGuard

Oracle released a critical patch on Tuesday to fix a whopping 193 new security vulnerabilities across its line of database solutions and products. Included in the update are fixes to 25 vulnerabilities in the Java platform alone, including a new high-risk, zero-day vulnerability already used in several high-profile, yet-to-be publicized attacks.

Java—with its seemingly endless fountain of vulnerabilities and exploits—has drawn much criticism and ire over the years from security professionals, with one research firm recently labeling Oracle's Java as the single biggest security risk to US desktops. Fortunately—with proper vulnerability assessment and monitoring in place—dismantling Oracle and all traces of it from one’s infrastructure is hardly necessary.

The scathing comment was made by Copenhagen-based security vendor Secunia earlier this year, well before Oracle’s Tuesday announcement of its latest critical patch. Secunia asserts that its findings were based on Oracle Java’s penetration rate, number of vulnerabilities, and patch status over the years. Furthermore, because Secunia bases its findings on data from its own install-base (the firm develops patch management software) numbering in the millions, the actual number of vulnerabilities could actually be far greater.

The latest critical patch to the Oracle Java Platform fixes 25 vulnerabilities, including 23 that allow for remote exploitation without authentication, 16 that only affect client installs, and 5 that affect both client and server deployments. Perhaps most notable is a particular high-risk  zero-day vulnerability—CVE-2015-2590—already used in various attacks, including an unnamed NATO country and—surprise—a U.S defense organization.

Oracle’s sweeping fixes on Tuesday also included patched vulnerabilities in the following products:

  • Oracle Database

  • Oracle Fusion Middleware

  • Oracle Hyperion

  • Oracle Enterprise Manager

  • Oracle E-Business Suite

  • Oracle Supply Chain Suite

  • Oracle PeopleSoft Enterprise

  • Oracle Siebel CRM

  • Oracle Communications Applications

  • Oracle Java SE, Oracle Sun Systems Products Suite

  • Oracle Linux and Virtualization

  • Oracle MySQL

The fixes—along with detailed information regarding the vulnerabilities—are available in the patch’s advisory note.

In all fairness, the predominance of Java in the market and general user apathy towards patch management are significant contributors to the platform’s bad security rap. Findings from the Secunia report mentioned earlier also revealed that 48 percent of users were not running the latest, patched versions of Oracle Java. Patching critical vulnerabilities shouldn’t be an all-encompassing endeavor—with UpGuard, your infrastructure is constantly monitored and tested to ensure that all critical patches and updates have been consistently applied across all environments.

Free DevOps and Security eBooks

More Blogs

The "Hacking" Of 000webhost—Or Why Free Should Never Be Synonymous With Unsecure

So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >

Why We Made Our Vulnerability Assessment Free for Everyone

Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >

Understanding Risk in the 21st Century

Even today, the risk of data breaches in particular threaten to hamper business innovation. So what is cyber risk, and what can be done about it?
Read Blog >