Oracle details most serious flaws in January security update

Oracle details most serious flaws in January security update

Summary: Oracle has revealed the highest-severity flaws in its bumper January patch batch.

TOPICS: Security, Oracle

Oracle's quarterly Patch Tuesday-synced Critical Patch Update (CPU) has been released, with fixes for 144 flaws in 47 of the company's products, including 36 fixes for Java SE.

As Oracle flagged in an earlier advisory, dozens of the fixes are for flaws that can be remotely exploited without authentication, which include 34 for Java SE, one for Oracle E-Business Suit, six for Oracle Supply Chain Products Suits, 10 for people its PeopleSoft Enterprise, and one for Siebel CRM. A full list of affected products can be found here

While Oracle is urging customers to apply all 144 fixes released in its January CPU as soon as possible, only a handful have been given the highest severity rating of 10.

These include fixes for five flaws in client side deployments of Java SE (CVE-2014-0410, CVE-2014-0415, CVE-2013-5907, CVE-2014-0428, CVE-2014-0422), which be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.

Others that were rated as the most severe include one flaw affecting Oracle WebCenter Sites in Oracle Fusion Middleware (CVE-2013-4316), one affecting its banking product Flexcube (CVE-2013-4316) and another for MySQL Enterprise Monitor (CVE-2013-4316).

One of the five most serious Java flaws however is also applicable to server deployments. "That is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets," Oracle's director of software security assurance Eric P. Maurice wrote.

Also, two of the more serious fixes for Java SE affect Java 7 update 45 on Apple's platform (CVE-2014-0385 andCVE-2014-0408).   

Maurice also notes a serious fix for its business intelligence product, Hyperion, which received two fixes. 

"One of these vulnerabilities (CVE-2013-3830) received a CVSS Base Score of 7.1, which denotes a complete compromise if successfully exploited, but also requires a single authentication from the attacker."

The company's next 2014 quarterly critical patch update is due on 15 April, followed by 15 July, 14 October and 20 January 2014.   

More on Oracle

Topics: Security, Oracle

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Remeber when...

    Oracle was unbreakable and Java was the great secure platform for everyone. Hahahahahaha Never believe the marketing lies. Times have changed but the marketing lies never stop they are even more insidious than ever today.
  • Suits?

    Are these Oracle Suits or Suites? A Nehru suit for Larry, perhaps? ... Ben Myers