Oracle details most serious flaws in January security update

Oracle has revealed the highest-severity flaws in its bumper January patch batch.
Written by Liam Tung, Contributing Writer

Oracle's quarterly Patch Tuesday-synced Critical Patch Update (CPU) has been released, with fixes for 144 flaws in 47 of the company's products, including 36 fixes for Java SE.

As Oracle flagged in an earlier advisory, dozens of the fixes are for flaws that can be remotely exploited without authentication, which include 34 for Java SE, one for Oracle E-Business Suit, six for Oracle Supply Chain Products Suits, 10 for people its PeopleSoft Enterprise, and one for Siebel CRM. A full list of affected products can be found here

While Oracle is urging customers to apply all 144 fixes released in its January CPU as soon as possible, only a handful have been given the highest severity rating of 10.

These include fixes for five flaws in client side deployments of Java SE (CVE-2014-0410, CVE-2014-0415, CVE-2013-5907, CVE-2014-0428, CVE-2014-0422), which be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.

Others that were rated as the most severe include one flaw affecting Oracle WebCenter Sites in Oracle Fusion Middleware (CVE-2013-4316), one affecting its banking product Flexcube (CVE-2013-4316) and another for MySQL Enterprise Monitor (CVE-2013-4316).

One of the five most serious Java flaws however is also applicable to server deployments. "That is, it can be exploited by supplying data to APIs in the specified component without using sandboxed Java Web Start applications or sandboxed Java applets," Oracle's director of software security assurance Eric P. Maurice wrote.

Also, two of the more serious fixes for Java SE affect Java 7 update 45 on Apple's platform (CVE-2014-0385 andCVE-2014-0408).   

Maurice also notes a serious fix for its business intelligence product, Hyperion, which received two fixes. 

"One of these vulnerabilities (CVE-2013-3830) received a CVSS Base Score of 7.1, which denotes a complete compromise if successfully exploited, but also requires a single authentication from the attacker."

The company's next 2014 quarterly critical patch update is due on 15 April, followed by 15 July, 14 October and 20 January 2014.   

More on Oracle

Editorial standards