Company fixes relatively small batch of Java security flaws

Jan 21, 2015 11:55 GMT  ·  By

On Tuesday, Oracle released its quarterly set of security updates to its customers, addressing 169 issues, two more than initially reported in the Critical Patch Update (CPU) pre-release announcement.

Some of the most severe were removed from Oracle Database, Oracle Fusion Middleware components, Oracle Applications (eBusiness in particular), Oracle Sun Systems Products Suite, and Java SE.

Glitches could lead to compromising databases

The company details several vulnerabilities affecting Oracle Database, the nastiest one (CVE-2014-6567) allowing a potential attacker to fully compromise the targeted server.

Marked with a severity score of 9.0 as per the Common Vulnerability Scoring System (CVSS), the flaw exists in earlier versions of Database 12c and it can be exploited on the Windows platform if authentication credentials are provided.

Another database vulnerability (CVE-2014-6577) received a score of 6.8 and successful exploitation would permit a complete confidentiality compromise. It is also present in the Windows version of Database prior to 12c.

The same flaw is marked with a lower severity rating (6.5) in the case of Database 12c, regardless of the operating system the product runs under (Windows, Linux, Unix, etc.), indicating a partial confidentiality compromise.

Relatively low historical number of Java repairs

The current Critical Patch Update also delivers fixes for Oracle Fusion Middleware, the most significant of them receiving a score of 9.3.

If successfully exploited, two of the glitches (CVE-2011-1944 and CVE-2014-0224) could lead to taking over the server machine.

As far as Java is concerned, there are 19 security fixes available, four of them (CVE-2014-6601, CVE-2015-0412, CVE-2014-6549 and CVE-2015-0408) being client-side, marked with the highest CVSS score, 10.

Referring to the amount of Java fixes delivered, Oracle says that it is a “relatively low historical number,” which is due to the company’s strategy started in 2013 to eliminate security issues in the product and to improve “security development practices in the Java development organization.”

Part of the strategy consists in increasing the release cycle for security updates, from three per year as initially planned, to four per year. This was the result of increased investments the company made in Java development. Prioritizing the bug fixing process was also part of Oracle’s strategy to address security issues.

Oracle Critical Patch Update (2 Images)

Oracle Database receives eight security patches
Only 19 security flaws repaired in Java
Open gallery