Oracle released a critical patch on Tuesday to fix a whopping 193 new security vulnerabilities across its line of database solutions and products. Included in the update are fixes to 25 vulnerabilities in the Java platform alone, including a new high-risk, zero-day vulnerability already used in several high-profile, yet-to-be publicized attacks.
Java—with its seemingly endless fountain of vulnerabilities and exploits—has drawn much criticism and ire over the years from security professionals, with one research firm recently labeling Oracle's Java as the single biggest security risk to US desktops. Fortunately—with proper vulnerability assessment and monitoring in place—dismantling Oracle and all traces of it from one’s infrastructure is hardly necessary.
The more important and difficult question is not why, but how—that is, how can companies not just survive, but thrive in a landscape of digital threats?
The scathing comment was made by Copenhagen-based security vendor Secunia earlier this year, well before Oracle’s Tuesday announcement of its latest critical patch. Secunia asserts that its findings were based on Oracle Java’s penetration rate, number of vulnerabilities, and patch status over the years. Furthermore, because Secunia bases its findings on data from its own install-base (the firm develops patch management software) numbering in the millions, the actual number of vulnerabilities could actually be far greater.
The latest critical patch to the Oracle Java Platform fixes 25 vulnerabilities, including 23 that allow for remote exploitation without authentication, 16 that only affect client installs, and 5 that affect both client and server deployments. Perhaps most notable is a particular high-risk zero-day vulnerability—CVE-2015-2590—already used in various attacks, including an unnamed NATO country and—surprise—a U.S defense organization.
Oracle’s sweeping fixes on Tuesday also included patched vulnerabilities in the following products:
Oracle Fusion Middleware
Oracle Enterprise Manager
Oracle E-Business Suite
Oracle Supply Chain Suite
Oracle PeopleSoft Enterprise
Oracle Siebel CRM
Oracle Communications Applications
Oracle Java SE, Oracle Sun Systems Products Suite
Oracle Linux and Virtualization
The fixes—along with detailed information regarding the vulnerabilities—are available in the patch’s advisory note.
In all fairness, the predominance of Java in the market and general user apathy towards patch management are significant contributors to the platform’s bad security rap. Findings from the Secunia report mentioned earlier also revealed that 48 percent of users were not running the latest, patched versions of Oracle Java. Patching critical vulnerabilities shouldn’t be an all-encompassing endeavor—with UpGuard, your infrastructure is constantly monitored and tested to ensure that all critical patches and updates have been consistently applied across all environments.
How CSTAR Works What's In the Website Risk Grader? Understanding Risk in the 21st Century
So how do events like 000webhost's massive data breach involving free web hosting providing 000webhost transpire? In a word, negligence. Gross negligence, to be precise.
Read Blog >
Access to free vulnerability assessment should be a basic right in a world where computing is integral to social and economic life. For our part, we're offering our full product, including vulnerability assessment, free forever for a user's first ten machines.
Read Blog >
Even today, the risk of data breaches in particular threaten to hamper business innovation. So what is cyber risk, and what can be done about it?
Read Blog >