[LACNIC/Seguridad] FYI: Oracle to issue huge security patch addressing 36 Java vulnerabilities

Fernando Gont fernando en gont.com.ar
Mie Ene 15 15:13:22 BRST 2014


FYI. Fuente:
<http://www.theinquirer.net/inquirer/news/2322481/oracle-to-issue-huge-security-patch-addressing-36-java-vulnerabilities>

(lo que en la jerga maradoniana se denomina "LTA" :-) )

---- cut here ----
Oracle to issue huge security patch addressing 36 Java vulnerabilities
144 flaws found across hundreds of Oracle products and components
By Lee Bell
Mon Jan 13 2014, 11:42

ENTERPRISE VENDOR Oracle will issue its first patch update of 2014 on
Tuesday and it just so happens that it'll be one of its biggest ever
that includes a slew of security patches, many of which address
vulnerabilities in Java.

The Critical Patch Update will address 144 flaws in hundreds of Oracle
products, 36 of which apply to vulnerabilities in Java SE, including 34
that are bugs that can be exploited remotely by an attacker without
requiring authentication.

"Some of the vulnerabilities addressed in this Critical Patch Update
affect multiple products", Oracle said in its pre-release announcement.
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply Critical Patch Update fixes as soon as
possible."

Five of the security fixes will apply to Oracle Database Server. One of
these vulnerabilities might be remotely exploitable without
authentication, meaning it could be exploited over a network without the
need for a username and password.

The patch update will be released on 14 January for Oracle products and
components including JavaFX, versions 2.2.45 and earlier, Java JDK and
JRE, versions 5.0u55, 6u65, 7u45 and earlier, and Java SE Embedded,
versions 7u45 and earlier.

The highest CVSS 2.0 Base Score for vulnerabilities in Oracle's Critical
Patch Update is 10.0 for Java SE, Java SE Embedded, and JRockit of
Oracle Java SE, MySQL Enterprise Monitor of Oracle MySQL, Oracle
FLEXCUBE Private Banking of Oracle Financial Services Software and
Oracle WebCenter Sites of Oracle Fusion Middleware.

Security firm Qualys' CTO Wolfgang Kandek warned that plug-ins like Java
are one of the main threat vectors as more companies are being infected
through web based attacks.

"One needs to pay attention to the browser plug-ins, and in that class,
the most important is Oracle's Java," Kandek said. "Java just suffered a
widely published attack during the Yahoo Ad-based attacks from [December
to January 2014], where the Magnitude exploit kit was used to deliver
malware to users that were running an outdated version of Java."

He added that Oracle's critical patch update will "further tighten its
security parameters".
---- cut here ----


-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1






Más información sobre la lista de distribución Seguridad