Oracle Fixes 42 Java Flaws

Oracle delivered 170 patches yesterday, including 42 for its much-maligned Java programming environment.

Of the Java flaws, Oracle noted 39 of them were remotely exploitable without authentication, meaning IT teams should focus on those with haste. Another 19 of those received the most severe rating of 10.0.

Security experts have heaped opprobrium on Java in recent months, as its vulnerabilities have regularly been used by cyber criminals to infect users’ machines. Various attacks launched exploit kits via websites, which were able to load malware thanks to the many Java flaws those tools were armed with.

TechWeekEurope learned earlier this year that one flaw was selling on the dark markets for $100,000. It was only in February that Java had 50 flaws patched.

Java patched up

“Out of the 42 vulnerabilities, only 2 can affect server deployments of Java.  Server exploitation can only occur as a result of these bugs when malicious data is supplied into specific APIs on the server (e.g., through a web service), and one of these bugs actually require local access to be exploited,” the software titan noted in a blog post, which pointed IT admins to the advisory page for this Java release.

Adam Gowdiak of Security Explorations, who has repeatedly uncovered zero-day Java flaws following previous patch updates, was one of the researchers credited with helping uncover the vulnerabilities.

Gowdiak told TechWeekEurope his long list of Java flaws had all been addressed by Oracle. Although he noted how a Java remote method invocation (RMI) flaw had taken almost eight years to be addressed by Oracle. “The Java SE CPU released yesterday finally incorporates a fix
for the RMI bug known to the vendor since 2005.”

Oracle also patched 128 other vulnerabilities across its product set, including hugely popular systems such as  Oracle Database Server, Oracle Fusion Middleware, MySQL and Siebel CRM. There are some critical patches with a top score of 10, affecting Database Server and Fusion Middleware.

IT teams with big Oracle estates should head here for the company’s advisory to kick off their patching.

What do you know about Internet security? Find out with our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

TSMC Begins 4nm Chip Production In Arizona

TSMC begins production of advanced 4nm chips at Arizona plant as US seeks to bring…

15 hours ago

China Chip Imports Surge Ahead Of New Export Controls

China's semiconductor imports grow by double-digits in 2024 ahead of new US export controls that…

16 hours ago

US Rules Divide World To Conquer China’s AI

New US export controls divide world into three tiers as outgoing administration seeks to cut…

16 hours ago

Apple Board Advises Against Plan To End Diversity Programmes

Apple board advises investors to vote against shareholder proposal to end diversity programmes as Meta,…

17 hours ago

Technology Secretary Calls Online Safety Act ‘Unsatisfactory’

Technology secretary Peter Kyle admits Online Safety Act falls short on protection from social harm,…

17 hours ago

Blue Origin Aborts Test Flight Minutes Before Launch

Jeff Bezos' Blue Origin cancels New Glenn certification flight at last minute due to unspecified…

1 day ago