Oracle's Critical Patch Update (CPU) in the quarterly cycle has been released, and includes a mammoth 127 security fixes -- including 51 for Java.
This is the first time that Java is being patched with other Oracle products -- including the E-Business Suite, MySQL and the Primavera Products Suite. Previously, Java was updated every four months.
The October CPU release includes fixes for a variety of software applications -- basically all of them in enterprise server-related product families:
- Oracle Database
- Oracle Fusion Middleware
- Oracle Enterprise Manager
- Oracle Applications - E-Business Suite
- Oracle Applications - Oracle Supply Chain, PeopleSoft Enterprise, Siebel and iLearning Products Suite
- Oracle FLEXCUBE Products Suite
- Oracle Health Sciences Products Suite
- Oracle Retail Products Suite
- Oracle Primavera Products Suite
- Oracle Java
- Oracle MySQL
Arguably, the most important vulnerability fixes within this update is Java, considering the vast number of consumers who use the software worldwide. Out of the 51 fixes on offer, 50 are related to Java Applets and Java WebStart, which are used when you run the applications in your web browser. Many security experts argue that while Java is a useful application, it should be disabled in your browser, where it represents a constant security risk.
Worryingly, 12 of the vulnerabilities being patched in this update have the most urgent, critical CVSSv2 score of 10, which indicates that these flaws can be exploited so others can gain access over a network without authentication, as warned by CTO of cloud security firm Qualys Wolfgang Kandek.
"The majority of vulnerabilities are concentrated on the Java client side, i.e. in desktop/laptop deployments, with the most common attack vector being web browsing and malicious web pages, but there are two highly critical vulnerabilities that also apply to server installations – CVE-2013-5782 and CVE-2013-5830. The new version is Java 7 update 45, and you should update as quickly as possible on your desktop and laptop machines."
While some versions of Java update themselves, others do not, so it is worthwhile checking to see what version your operating system runs. Despite the confusion, Oracle "strongly recommends that customers apply CPU fixes as soon as possible."
Over at Sophos Naked Security, Chester Wisniewski is less-than-impressed at the mammoth security update, commenting:
"If your reputation is this poor and you expose more than a billion users to your flaws, you need to respond more quickly. Microsoft and Adobe both patch monthly and together have less than 50 vulnerabilities fixed per quarter on average. Oracle, it's time to step up your game."
The next CPU update is scheduled for 14 January, 2014.