In the third patch release of the day, after Adobe and Microsoft, Oracle publishes code fixes for 154 distinct vulnerabilities across a large number of product families. Many of the vulnerabilities addressed are of critical nature, allowing the attacker to achieve remote code execution. Due to the large number of patches a precise inventory will be crucial to be able to decide where to patch first.
Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.
Oracle just released their announcement of the July Critical Patch Update (CPU). Oracle bundles the security updates for the majority of the products it controls into a quarterly update – something of a Super Tuesday of computer security. This time we are getting 115 fixes for vulnerabilities over 30 different product groups with even more individual software versions affected.
Oracle released today its Critical Patch Update (CPU) for July 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, with the exception of Java. Java is on a different update cycle of every four months, but it will be migrated to the same schedule beginning in October of 2013.
This month’s CPU contains 89 updates touching most of Oracle’s product groups. A large percentage (>40%) of the vulnerabilities addressed allow for remote unauthenticated access for the attacker and should be priority, particularly on applications that are exposed to the Internet.
Oracle published two critical security updates today. First, a new version of Java has been released that addresses 42 distinct vulnerabilities, with 19 having the highest possible CVSS score of “10” allowing an attacker to take full control of the machine. This update also addresses the vulnerabilities found during the PWN2OWN competition at CanSecWest in Vancouver in March, where Java was exploited by three different security researchers. Oracle also changed the alerts that come up when one runs a Java applet, introducing distinct states giving overall more information on the nature of the applet. The new versions are update 21 for Java v7 and update 45 for Java v6.
Also today, the Oracle Critical Patch Update (CPU) came out that addresses all other Oracle products. Overall, the April 2013 CPU fixes over 120 vulnerabilities in 13 product groups. An accurate map of installed software will be crucial in applying these patches due to the large number of products covered. We recommend starting with Internet exposed services first, and then moving by the CVSS scores attached to the vulnerability.