Apple has updated their versions of Java in lockstep with Oracle. Due to the cross platform nature of Java, Mac OS X users should be as quick in updating Java as Java on Windows users.
Today Oracle had two major releases: a new version of Java addressing 30 vulnerabilities and the Oracle Critical Patch Update (CPU) addressing over 100 vulnerabilities in 10 products.
The Java update should be applied as soon as possible to workstations and servers. It contains patches for 10 highly critical vulnerabilities that all have a CVSS of 10, all remotely exploitable without authentication. Oracle credits a number of contributors for the vulnerabilities found, including Security Explorations, a security company from Poland that had submitted a large number of vulnerabilities to Oracle in April of this year.
Oracle’s second release contains 109 separate patches for major Oracle products. The Oracle RDBMS product is updated to deal with a flaw publicly disclosed earlier last month during the security conference Ekoparty (CVE-2012-3137), which has the highest CVSS score of 10, at least when running under Windows. Oracle’s MySQL product also gets a new version that fixes 14 vulnerabilities, where two can be accessed remotely with authentication. Oracle Solaris and Glassfish products are affected by flaws that similarly have remotely exploitable vulnerabilities and their users should take a close look at the fixes provided. Further product areas included are Oracle Fusion Middleware, Peoplesoft, JD Edwards and others.
With the number of vulnerabilities addressed today being so high, a good map to the installed applications in your organization becomes essential to plan the roll-out. We recommend starting with exposed services first, including the Java patch on workstations, Solaris and Glassfish and potentially MySQL on Internet connected servers. Oracle’s core RDBMS is affected by a publicly known vulnerability, making it another candidate for an accelerated update deployment.