14 DAY TRIAL // A total of 128 vulnerabilities have been addressed by Oracle with the release of the company’s April 2013 Critical Patch Update (CPU).
The list of affected products includes Oracle Database, Fusion Middleware, E-Business Suite, Supply Chain, PeopleSoft, Siebel, Health Sciences, Retail, Oracle FLEXCUBE, Primavera, Oracle and Sun Systems Product Suite, Oracle MySQL Product Suite, and Oracle Support Tools.
The Oracle Java SE CPU for April 2013 contains 42 security fixes, 39 of which can be exploited without authentication.
We’ve reached out to Security Explorations, the Polish company that’s responsible for having identified many Java vulnerabilities over the past period, to see which of the issues they’ve reported have been addressed.
According to the company’s CEO, Adam Gowdiak, Oracle has fixed 6 of the vulnerabilities they’ve reported earlier this year. More precisely, the flaws dubbed “Issue 51,” “Issue 55” and “Issues 57 to 60” have been patched.
The security research firm has published the vulnerability reports along with their proof of concept codes on its website.
In a post published on Full Disclosure, Gowdiak has also revealed that they’ve released the details of “Issue 56,”a bug that Oracle has yet to confirm, despite the fact that it was reported some six weeks ago. “Although it was part of an exploit chain relying on 5 vulnerabilities in total (Issues 56-60) this issue has not been confirmed by the company so far (other issues from the chain were confirmed and should be addressed in Java SE 7 Update 21),” the CEO noted.
Gowdiak has also pointed us to a post on Red Hat’s Bugzilla site, according to which, the issue that allowed for a remote loading and execution of Java code on servers over the RMI (Remote Method Invocation) protocol has been fixed with the release of Java 7 Update 21 and Java 6 Update 45.
“It might be worth to note that RMI issue allowing for the remote exploitation of Java SE vulnerabilities on servers was patched almost 8 years after the report (the bug was reported to Sun Microsystems in 2005),” the expert told Softpedia in an email.
Users are advised to apply the updates as soon as possible.