Tech

Oracle's critical security update: 193 problems fixed in latest patch

Oracle's latest CPU includes a vast number of security fixes for products including Oracle Database, Java and MySQL.

Written by Charlie Osborne, Contributing Writer July 15, 2015 at 3:54 a.m. PT

Oracle's July critical patch update includes security updates and patches for 193 vulnerabilities including remote exploits and authentication issues.

The California-based company's July 2015 Critical Patch Update includes 193 fixes, 44 of which are for third-party components included Oracle product such as Qemu and Glibc.

In total, 10 fixes have been issued for Oracle Database, and two of the vulnerabilities fixed allow for remote exploitation without authentication. The vulnerability, CVE-2015-2629, has been given a CVSS Base Score of 9.0 for the Windows platform and 7.5 for Linux and Unix platforms.

Featured

In addition, Oracle Fusion Middleware received 39 new security fixes, 36 of which are for vulnerabilities which are also remote exploits without authentication. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 7.5.

A number of patches are destined for various Oracle applications. Oracle E-Business Suite gets 13 fixes, Oracle Supply Chain Suite receives 7, PeopleSoft Enterprise gets 8, and Siebel gets 5 fixes. In addition, two fixes have been issued for the Oracle Commerce Platform.

This CPU also addresses 25 vulnerabilities in Oracle Berkeley DB -- with the highest CVSS Base score reported for these vulnerabilities as 6.9 -- and two security flaws within Oracle Communications Applications.

The highest CVSS issued which impacts on this software is the maximum of 10, for vulnerability CVE-2015-0235, otherwise known as GHOST. This flaw affects Glibc, a component used in the Oracle Communications Session Border Controller.

It wouldn't be a patch update without the presence of Java on the list. In total, 25 fixes have been issued, and 23 of these vulnerabilities are remotely exploitable without authentication. In addition, 16 of these fixes are for Java products client-side, and one is specific to Mac users.

The recently announced zero-day vulnerability CVE-2015-2590 has also been resolved. The zero-day has been detected as being actively exploited in the wild and exploits via drive-by downloads, and is thought to affect the latest version of Java, version 1.8.0.45 but not older versions.

Oracle states:

"Oracle continues to periodically receive reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply available Oracle patches.

Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

The next critical patch update will be released on 20 October 2015.