Neustar International Security Council launched ... » LONDON, UK: Neustar, Inc. has announced the launch of the Neustar International Security Council (NI... RiskIQ Digital Threat Management Platform Recognis... » LONDON, UK: RiskIQ has been recognised in an Ovum Research “On the Radar” report for providing orga... ExtraHop introduces new professional services fo... » UK: Today at Interop ITX has announced new professional services for cloud migration, datacenter mig... MIKE SMITH BECOMES NEW ECA PRESIDENT » A highly respected electrical engineer and businessperson – Mike Smith of SES Engineering Services –... Patriot One obtains purchase agreement with rese... » TORONTO:  Patriot One Technologies Inc. has announced a reseller agreement with Information Technolo... TDSi and LITESTAR announce new partnership in Si... » Poole: TDSi has announced a new partnership with Singapore-based installation specialist LITESTAR Te... FSA 10TH BIRTHDAY TOPS THE BILL AT IFSEC SHOW » Fire and security business representatives are being urged to attend the Fire & Security Association... Intercede announces Secure Login for WordPres... » Lutterworth, England/Reston, VA: Recently, digital identity and credentials expert, Intercede announ... Senior Intelligence Official Ron Moultrie joi... » NEW YORK, NY: Balabit has announced today that the former Director of Operations at the National Sec... Luke Kleszcz joins security manufacturer as Fina... » Poole: Integrated has announced the growth of its Finance team with the appointment of its new Finan...

CLICK HERE TO

SOCIAL BOOKMARK

Oracle’s Critical Patch Update (CPU) for July has seen 115 updates to a variety of Oracle products. Java has been the busiest with 20 vulnerabilities being addressed, the most severe of which is CVE-2014-4227, affecting Java v6, v7 and v8. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on - workstation or server.

 

Let’s take a look at the groups of software that are affected:

Oracle Java, which has 20 vulnerabilities addressed. The most severe is CVE-2014-4227 with a CVSS score of 10.0 which affects Java v6, v7 and also the newest v8. There are another seven vulnerabilities that have a CVSS score of 9.3 that are considered critical. All of the critical vulnerabilities apply to client side installation of Java, i.e. Java on workstations that execute applets and Java Web start applications. Since Java has been on the radar for many cyber criminals and we have seen Java vulnerabilities included in common ExploitKits, you should address these problems as soon as possible.

Oracle MySQL, with ten vulnerabilities addressed. The highest score is CVSS 6.5, indicating network accessible vulnerabilities that require authentication, i.e. a username and password to log into the database. We frequently see MySQL databases connected directly to the Internet, Shodan lists almost four million entries for the MySQL port 3306 that are not firewalled, so we recommend fast patching for these issues, especially if you are on that list of Internet accessible IP addresses. Oracle calls out that this update also includes a fix for the Heartbleed vulnerability (CVE-2014-0160) in the MySQL Enterprise server 5.6

Oracle RDBMS, the flagship product of Oracle that many associate with the brand Oracle. Five vulnerabilities addressed, the most severe with a CVSS score of 9.0 in the XML parser of the included HTTP module: CVE-2013-3751, only present in RDBMS v12, in v11 the vulnerability was fixed last year already.

In the virtualization space, Oracle addresses 15 vulnerabilities, including seven in the popular virtualization software VirtualBox.

Oracle Fusion Middleware, which mainly groups all of the Oracle application servers: Glassfish, Weblogic, iPlanet and HTTP. 29 vulnerabilities all-in-all, with the highest severity of 7.5 found in CVE-2013-1741.

Further there are seven updates for Oracle Hyperion, six for Siebel CRM, five for E-Business, five for PeopleSoft, four for Solaris, three for Supply Chain and one each for Grid Control, Retail and Communications.

Oracle reported no updates for Oracle Outside In component. Outside In is used by Microsoft Exchange server as a library and a flaw here would cause an update by Microsoft in one of the following months - not this time, so you’re safe for another quarter.

So, as expected a big update by Oracle. A good inventory of installed software is crucial to assure that you address all installed versions. But start by focusing on the basics: Java, MySQL and then Oracle RDBMS.