Oracle's Quarterly Critical Patch Update Includes 25 Java Security Patches

[InfoSec News <alerts () infosecnews org>]

http://adtmag.com/articles/2014/10/21/java-security-patches.aspx

By John K. Waters
adtmag.com
10/21/2014

Oracle's recently released quarterly Critical Patch Update (CPU) contained 
155 new security vulnerability fixes across Oracle's product lines, 
including 25 for new Java SE vulnerabilities and 9 affecting the Java 
Virtual Machine (JVM) in the Oracle Database.

The list of Java vulnerabilities addressed with this CPU includes 20 that 
affect client-only deployments of Java SE, 2 of which are 
browser-specific, four that affect client and server deployments of Java 
SE, and one that affects client and server deployments of the Java Secure 
Socket Extension (JSSE). Oracle says 22 of the fixes address 
vulnerabilities that may be remotely exploitable without authentication -- 
an attacker wouldn't need a user name or password to exploit them over a 
network.

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an 
open and standardized rating of the security holes it finds in its 
products. One of the Java SE vulnerabilities (CVE-2014-6513) received the 
highest CVSS Base Score of 10. Ten others were ranked a 9 or higher, 
meaning they could allow a complete compromise of the targeted client, 
though the access complexity to exploit these vulnerabilities is 
considered "medium."

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/