Momentum builds as Critical Communications World d... » Critical Communications World (May 16-18, Hong Kong) is the leading and most influential congress an... New initiative shows increasing importance of CSR » A major new survey on corporate social responsibility (CSR) is now open to electrotechnical busine... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTORA... » SERIES: BUHARISM AND THE FIERCE URGENCY OF NOW A treatise on pastoral jihadism, islamism, arabism a... Commvault partners with Pure Storage » Cisco Live, Melbourne, AU and Tinton Falls, NJ: Commvault has announced the integration of its Commv... OF FOOLS OF THE MIDDLE BELT, ONE NORTH AND PASTOR... » A treatise on pastoral jihadism, islamism, arabism and cultural imperialism in Nigeria (Ephesians ... Where was Aisha Buhari when idiot Kumapayi flagr... » "Clip-clip..clip-clip...Did you not hear when BABA DAURA say women's place is in the kitchen?" ... UKCloud launches Disaster Recovery to the Cloud se... » London: UKCloud has announced the launch of Disaster Recovery to the Cloud, a self-service replicati... ADG Holdings bolsters security protection with Tra... » SAN MATEO, CA : TrapX Security™ has announced that ADG Holdings, a provider of proprietary trading a... ExtraHop combines analytics and low-cost storage... » London, UK: ExtraHop has announced several major platform enhancements as part of version 6.2. These... DEFENCE MINISTER MEETS TEENAGERS TAKING PART ... » Defence Minister Earl Howe today met teenagers at the Army’s first ‘Supercamp’, a new initiative whi...



Oracle’s Critical Patch Update (CPU) for July has seen 115 updates to a variety of Oracle products. Java has been the busiest with 20 vulnerabilities being addressed, the most severe of which is CVE-2014-4227, affecting Java v6, v7 and v8. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on - workstation or server.


Let’s take a look at the groups of software that are affected:

Oracle Java, which has 20 vulnerabilities addressed. The most severe is CVE-2014-4227 with a CVSS score of 10.0 which affects Java v6, v7 and also the newest v8. There are another seven vulnerabilities that have a CVSS score of 9.3 that are considered critical. All of the critical vulnerabilities apply to client side installation of Java, i.e. Java on workstations that execute applets and Java Web start applications. Since Java has been on the radar for many cyber criminals and we have seen Java vulnerabilities included in common ExploitKits, you should address these problems as soon as possible.

Oracle MySQL, with ten vulnerabilities addressed. The highest score is CVSS 6.5, indicating network accessible vulnerabilities that require authentication, i.e. a username and password to log into the database. We frequently see MySQL databases connected directly to the Internet, Shodan lists almost four million entries for the MySQL port 3306 that are not firewalled, so we recommend fast patching for these issues, especially if you are on that list of Internet accessible IP addresses. Oracle calls out that this update also includes a fix for the Heartbleed vulnerability (CVE-2014-0160) in the MySQL Enterprise server 5.6

Oracle RDBMS, the flagship product of Oracle that many associate with the brand Oracle. Five vulnerabilities addressed, the most severe with a CVSS score of 9.0 in the XML parser of the included HTTP module: CVE-2013-3751, only present in RDBMS v12, in v11 the vulnerability was fixed last year already.

In the virtualization space, Oracle addresses 15 vulnerabilities, including seven in the popular virtualization software VirtualBox.

Oracle Fusion Middleware, which mainly groups all of the Oracle application servers: Glassfish, Weblogic, iPlanet and HTTP. 29 vulnerabilities all-in-all, with the highest severity of 7.5 found in CVE-2013-1741.

Further there are seven updates for Oracle Hyperion, six for Siebel CRM, five for E-Business, five for PeopleSoft, four for Solaris, three for Supply Chain and one each for Grid Control, Retail and Communications.

Oracle reported no updates for Oracle Outside In component. Outside In is used by Microsoft Exchange server as a library and a flaw here would cause an update by Microsoft in one of the following months - not this time, so you’re safe for another quarter.

So, as expected a big update by Oracle. A good inventory of installed software is crucial to assure that you address all installed versions. But start by focusing on the basics: Java, MySQL and then Oracle RDBMS.