Oracle releases latest round of Java security patches

Oracle has released critical patch updates containing 40 security fixes across Java SE products.
Written by Charlie Osborne, Contributing Writer on
James Martin/CNET

Oracle has released fixes for multiple products, many of which are aimed at preventing remote exploitation without authentication.

On Tuesday, the technology giant and Java software maker released its June 2013 Critical Patch Update for Java SE. The latest patch update includes 40 security fixes, 37 of which aimed at stopping attackers exploiting software remotely without the need for a username or password.

The majority of the security fixes, 34 in total, only affect client deployments. Under Oracle's CVSS rating system, some flaws rate as "critical," attaining the highest rating of 10.

In addition, four vulnerabilities are able to affect both client and server deployments, with the most severe flaw reaching a CVSS base score of 7.5.

One security vulnerability fixed in the latest round of updates affects the Java installer, but can only be exploited locally.

The final fix affects the Javadoc tool and any documents created by Oracle's software. In Javadoc versions 1.5 or later, a vulnerability in Javadoc-generated HTML files hosted on a web server allows hackers to inject malicious frames into a vulnerable web page, which in turn means that visitors may be redirected to other sites through their browsers.

The security patch offered removes this issue, and an additional tool — the "Java API Documentation Updater Tool" — will fix previously created and therefore vulnerable HTML files.

Affected past versions of Java SE components include the Java Development Kit and Java Runtime Environment 5.0, 6 and 7. JDK/JRE 7 update 21 and earlier, JDK/JRE 6 update 45 and JDK/JRE 5.0 update 45 and earlier are all vulnerable. In addition, patches are included for JavaFX 2.2.21 and earlier.

Due to the "critical" nature of some security flaws, Oracle recommends applying these patches "as soon as possible" through the usual update channels, either the Java Autoupdate tool or by visiting Java's website.

In April, Oracle released 128 fixes for security vulnerabilities which affected hundreds of products. Software that was vulnerable to security exploits included Oracle Fusion Middleware, Oracle HTTP Server, JRockit, WebCenter and WebLogic. The security fixes protected against threats including remote exploitation and access without authentication.

Dates scheduled for the next round of patch updates are 15 October 2013 and 14 January next year.

Editorial standards


What is ChatGPT and why does it matter? Here's what you need to know
chat bot

What is ChatGPT and why does it matter? Here's what you need to know

These are my 5 must-have devices for work travel now

These are my 5 must-have devices for work travel now

How much RAM does your Windows 11 PC need?

How much RAM does your Windows 11 PC need?