Oracle’s Busy Patching, Including Java Zero Day
Thursday, July 16, 2015 @ 06:07 PM gHale
Oracle released its July 2015 Critical Patch Update (CPU), addressing 193 security issues across multiple product families, including a Java Zero Day bug.
Trend Micro discovered earlier this week an unpatched Java vulnerability had been exploited by the advanced persistent threat (APT) group Pawn Storm (also known as APT28, Sofacy, Fancy Bear, and Sednit) in attacks against the armed forces of a NATO member country, and major defense contractors in the United States and Canada.
After Oracle released the availability of a patch for the remote code execution vulnerability (CVE-2015-2590), Trend Micro published a blog post with additional technical details on the attack.
The security holes addressed by Oracle with the July 2015 CPU affect a wide range of products, including Oracle Database, Fusion Middleware, Hyperion, Enterprise Manager, E-Business Suite, Supply Chain Suite, PeopleSoft Enterprise, Siebel CRM, Communications Applications, Java SE, Sun Systems Products Suite, Linux and Virtualization, and MySQL.
Forty-four of the patched flaws plague third-party components included in Oracle’s product distributions.
A total of 25 vulnerabilities ended up addressed in Java SE and all but two of them can suffer from remote exploitation by an unauthenticated attacker.
“16 of these Java SE fixes are for Java client-only, including one fix for the client installation of Java SE. 5 of the Java fixes are for client and server deployment. One fix is specific to the Mac platform. And 4 fixes are for JSSE client and server deployments,’ Eric Maurice, director of Oracle Software Security Assurance, said in a blog post.
The latest CPU resolves ten vulnerabilities in Oracle Database, 39 in Fusion Middleware, 25 in Berkeley DB, two in Communications Applications, 13 in E-Business Suite, seven in Supply Chain Suite, eight in PeopleSoft Enterprise, five in Siebel, and two in Commerce Platform.