Java Cloud Service Gets a Fix
Oracle's recent fix follows up an array of patches that were rolled into its quarterly Critical Patch Update.
Oracle released a security advisory for its Java Cloud Service. The fix is a follow-up from the company's quarterly Critical Patch Update. The company said the security issues covered in it did not affect Java SE, only the company's platform for developing and deploying business applications in the cloud.
Oracle's most recent CPU was a big one, comprising 104 new security fixes for a range of Oracle products, including 37 Java SE vulnerabilities -- 4 of which earned a Common Vulnerability Scoring System (CVSS) rating of 10.0, which is very high and marks them as critical. Twenty-nine of those Java SE vulnerabilities affected client-only deployments, six affected both client and server deployments, one affected the Javadoc tool, and one affected unpack200 (the JAR unpacking tool). The vulnerabilities with the high CVSS rating can be exploited remotely without authentication to compromise the host operating system.
Oracle also issued a security alert (Security Alert CVE-2014-0160) and patch following the public unveiling of Heartbleed, a serious vulnerability in OpenSSL, the open source cryptographic library. Heartbleed could allow attackers to read the memory of systems protected by the affected versions of OpenSSL over a network -- no need or a user name or password. Oracle implemented OpenSSL in many of its products. Heartbleed earned a relatively low CVSS rating of 5.0, which Maurice has pointed out "denotes the difficulty in coming up with a system that can rate the severity of all types of vulnerabilities." A fixed version of that crypto library is now available
The list of Oracle products covered by the recent CPU includes Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL.
Oracle advised its customers to apply the latest CPU immediately "due to the relative severity of a number of the vulnerabilities fixed."