Checkpoint Systems deploys its EAS Solutions at ... » Checkpoint Systems has announced its partnership in implementing EAS pedestals and deactivation syst... Evander Direct wins commendation for uPVC window... » Evander Direct have been commended for their innovative uPVC cleaning process that dramatically help... Electrical Industries Charity to benefit from pr... » Thousands of pounds are set to be raised for good causes in the electrotechnical industry at the upc... Secure I.T. Environments achieves new internatio... » Data Centre World, London: Secure I.T. Environments Ltd has announced that it has achieved new inter... OKI upgrades wide format with new Teriostar Multif... » Egham: OKI Europe Ltd has launched two new wide format Teriostar multifunction printers designed to ... BSIA members push aggressively for cyber-security ... » BSIA members have pledged to lead the way in cyber-security education, Vigilance can report. Smart access integration mitigates risk » ASDA SHOP FLOOR Cortech Developments’ main software product, Datalog 5, now offers full integration... Businesses warned to be extra vigilant with person... » BSIA Information Destruction section has warned businesses to be extra vigilant with personal data a... Osirium accelerates global channel recruitment pla... » · Distributor appointed in Middle East and North Africa (MENA) Reading, UK: Osirium Technologies pl... Misys recognised as leader in FRTB » London, UK: Misys has been recognised as a leader in helping banks meet the requirements of the Fund...


Oracle’s Critical Patch Update (CPU) for July has seen 115 updates to a variety of Oracle products. Java has been the busiest with 20 vulnerabilities being addressed, the most severe of which is CVE-2014-4227, affecting Java v6, v7 and v8. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on - workstation or server.


Let’s take a look at the groups of software that are affected:

Oracle Java, which has 20 vulnerabilities addressed. The most severe is CVE-2014-4227 with a CVSS score of 10.0 which affects Java v6, v7 and also the newest v8. There are another seven vulnerabilities that have a CVSS score of 9.3 that are considered critical. All of the critical vulnerabilities apply to client side installation of Java, i.e. Java on workstations that execute applets and Java Web start applications. Since Java has been on the radar for many cyber criminals and we have seen Java vulnerabilities included in common ExploitKits, you should address these problems as soon as possible.

Oracle MySQL, with ten vulnerabilities addressed. The highest score is CVSS 6.5, indicating network accessible vulnerabilities that require authentication, i.e. a username and password to log into the database. We frequently see MySQL databases connected directly to the Internet, Shodan lists almost four million entries for the MySQL port 3306 that are not firewalled, so we recommend fast patching for these issues, especially if you are on that list of Internet accessible IP addresses. Oracle calls out that this update also includes a fix for the Heartbleed vulnerability (CVE-2014-0160) in the MySQL Enterprise server 5.6

Oracle RDBMS, the flagship product of Oracle that many associate with the brand Oracle. Five vulnerabilities addressed, the most severe with a CVSS score of 9.0 in the XML parser of the included HTTP module: CVE-2013-3751, only present in RDBMS v12, in v11 the vulnerability was fixed last year already.

In the virtualization space, Oracle addresses 15 vulnerabilities, including seven in the popular virtualization software VirtualBox.

Oracle Fusion Middleware, which mainly groups all of the Oracle application servers: Glassfish, Weblogic, iPlanet and HTTP. 29 vulnerabilities all-in-all, with the highest severity of 7.5 found in CVE-2013-1741.

Further there are seven updates for Oracle Hyperion, six for Siebel CRM, five for E-Business, five for PeopleSoft, four for Solaris, three for Supply Chain and one each for Grid Control, Retail and Communications.

Oracle reported no updates for Oracle Outside In component. Outside In is used by Microsoft Exchange server as a library and a flaw here would cause an update by Microsoft in one of the following months - not this time, so you’re safe for another quarter.

So, as expected a big update by Oracle. A good inventory of installed software is crucial to assure that you address all installed versions. But start by focusing on the basics: Java, MySQL and then Oracle RDBMS.