Oracle Fixes 104 Flaws in Massive April Patch Update

Oracle has released its April 2014 Critical Patch Update, providing fixes for 104 vulnerabilities across a number of product lines
Oracle has released its April 2014 Critical Patch Update, providing fixes for 104 vulnerabilities across a number of product lines

The products affected Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Four of the Java SE vulnerabilities received a CVSS base score of 10.0.  Twenty-nine of these 37 vulnerabilities affected client-only deployments, while six affected client and server deployments of Java SE. Rounding up this count was one vulnerability affecting the Javadoc tool and another unpack200.

“As a reminder, desktop users, including home users, can leverage the Java Autoupdate or visit to ensure that they are running the most recent version of Java,” Oracle said in its advisory. “Java SE security fixes delivered through the Critical Patch Update program are cumulative. In other words, running the most recent version of Java provides users with the protection resulting from all previously-released security fixes. Oracle strongly recommends that Java users, particularly home users, keep up with Java releases and remove obsolete versions of Java SE, so as to protect themselves against malicious exploitation of Java vulnerabilities.”

Out of the two vulnerabilities for Oracle Database, the most severe received a CVSS base score of 8.5 for the Windows platform, to denote a full compromise of the targeted system, although a successful exploitation requires of this bug requires authentication by the malicious attacker.

The CPU also provides fixes for 20 Fusion Middleware vulnerabilities. One of the patched flaws is remotely exploitable without authentication in the Oracle WebLogic Server. If successfully exploited, this vulnerability can result in a wide compromise of the targeted WebLogic Server.

The CPU also included fixes for five vulnerabilities affecting Oracle Linux and Virtualization products suite. The most severe of these vulnerabilities affects certain versions of Oracle Global Secure Desktop, and received a CVSS base score of 9.3.

“Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply this Critical Patch Update as soon as possible,” Oracle noted. “In addition, as previously discussed, Oracle does not test unsupported products, releases and versions for the presence of vulnerabilities addressed by each Critical Patch Update. However, it is often the case that earlier versions of affected releases are affected by vulnerabilities fixed in recent Critical Patch Updates. As a result, it is highly desirable that organizations running unsupported versions, for which security fixes are no longer available under Oracle Premier Support, update their systems to a currently-supported release so as to fully benefit from Oracle’s ongoing security assurance effort.”

What’s hot on Infosecurity Magazine?