Java Cloud Service Gets a Fix

Oracle's recent fix follows up an array of patches that were rolled into its quarterly Critical Patch Update.

Oracle released a security advisory for its Java Cloud Service. The fix is a follow-up from the company's quarterly Critical Patch Update. The company said the security issues covered in it did not affect Java SE, only the company's platform for developing and deploying business applications in the cloud.

Oracle's most recent CPU was a big one, comprising 104 new security fixes for a range of Oracle products, including 37 Java SE vulnerabilities -- 4 of which earned a Common Vulnerability Scoring System (CVSS) rating of 10.0, which is very high and marks them as critical. Twenty-nine of those Java SE vulnerabilities affected client-only deployments, six affected both client and server deployments, one affected the Javadoc tool, and one affected unpack200 (the JAR unpacking tool). The vulnerabilities with the high CVSS rating can be exploited remotely without authentication to compromise the host operating system.

Oracle also issued a security alert (Security Alert CVE-2014-0160) and patch following the public unveiling of Heartbleed, a serious vulnerability in OpenSSL, the open source cryptographic library. Heartbleed could allow attackers to read the memory of systems protected by the affected versions of OpenSSL over a network -- no need or a user name or password. Oracle implemented OpenSSL in many of its products. Heartbleed earned a relatively low CVSS rating of 5.0, which Maurice has pointed out "denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities." A fixed version of that crypto library is now available

The list of Oracle products covered by the recent CPU includes Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.

Oracle advised its customers to apply the latest CPU immediately "due to the relative severity of a number of the vulnerabilities fixed."

About the Author

John K. Waters is a freelance author and journalist based in Silicon Valley. His latest book is The Everything Guide to Social Media. Follow John on Twitter, read his blog on, check out his author page on Amazon, or e-mail him at


Virtualization Review

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.