Oracle and Adobe Pile on the Pressure With Critical Patches

Hot on the heels of Microsoft, Adobe and Oracle have waded in with their own security updates to make October a busy month for system administrators.

Adobe has issued Priority 1 (critical) updates for Flash Player affecting all platforms, to fix vulnerabilities CVE-2014-0558, CVE-2014-0564, CVE-2014-0569.

These remote code execution flaws will be patched automatically on systems running Internet Explorer 10 and 11 but those running older browsers or OSes will need to patch manually as a matter of urgency.

Adobe also issued fixes for issues affecting ColdFusion version 9-11 on all platforms.

It explained:

“These hotfixes address a security permissions issue that could be exploited by an unauthenticated local user to bypass IP address access control restrictions applied to the ColdFusion Administrator.  Cross-site scripting and cross-site request forgery vulnerabilities are also addressed in the hotfixes.”

As if that wasn’t enough, Oracle has added to the patch load with a hefty batch of security updates fixing 154 vulnerabilities across a large range of products.

“Take a good look at the release it is large and has patches for most any Oracle customer,” urged Qualys CTO Wolfgang Kandek in a blog post. “A good application inventory or comprehensive scan will help you determine your most urgent patchable weaknesses.”

Some of the key products families affected include Java SE, MySQL, Oracle RDBMS, Fusion Middleware and Sun Solaris.

There are 25 vulnerabilities in Java – covering versions 6,7 and 8 – with at least nine of them rated critical, allowing remote exploitation of affected systems.

Some 31 vulnerabilities exist in Oracle RDBMS, with six assigned a CVSS score of 9.

“All of them require CREATE SESSION privilege, meaning the attackers need authentication credentials,” Kandek explained.

“Oracle RDBMS servers are usually not directly connected through the internet, so an attacker would have to have gained a foothold into the network through another vulnerability before being able to try any of the exploits available.”

There are 24 vulnerabilities highlighted in MySQL - with three given a CVSS score of over 7, allowing remote exploitation – 18 in Sun Solaris and 15 in Fusion Middleware.

“This [Fusion] product group contains Oracle web and application servers and should receive a high priority treatment if you use them on machines connected to the internet,” said Kandek. “Here Oracle addresses CVE-2014-0114 a vulnerability in Struts.”

What’s Hot on Infosecurity Magazine?