ID: IRCNE2014012082
Date: 2014-01-22
According to “EWeek”, the new year is starting off with a bang for Oracle, at least in terms of security updates. In sharp contrast to Microsoft, which today released just four security bulletins, Oracle fixed a staggering 144 new vulnerabilities spread across its software portfolio as part of its quarterly Critical Patch Update (CPU).
At the top of the list with the most fixed vulnerabilities and widespread impact are 36 security fixes for Oracle's Java. Oracle first began to include Java security fixes as part of its main CPU release in October of 2013. At that time, Oracle fixed a total of 127 vulnerabilities, with Java accounting for 51 of them.
With the January crop of Java vulnerabilities, 34 of the 36 flaws are remotely exploitable without user authentication, making them among the most dangerous types of software flaws. Going a step further, Oracle has ranked five of the new Java vulnerabilities as having the highest possible Common Vulnerability Scoring System (CVSS) score of 10.
Java is among the most attacked and the most patched piece of software in use today.
In addition to Java, Oracle's Fusion Middleware Suite is being patched for multiple vulnerabilities. In total, Oracle is patching 22 security flaws in Fusion, of which 19 are remotely exploitable without user authentication and only a single flaw carries a CVSS score of 10.
The Oracle and Sun Systems products suite, which includes the Solaris Unix operating system, is receiving 11 patches, with only one of them being remotely exploitable. Oracle now separately breaks out fixes for the MySQL database, which came to Oracle by way of its acquisition of Sun in 2010. MySQL is being fixed for 18 security vulnerabilities, with only one receiving the highest CVSS score of 10.
In contrast to MySQL, Oracle's namesake database is only receiving five security fixes, and only one of the flaws is remotely exploitable without user authentication.