Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Oracle Critical Patch Update for April 2014

Published: 2014-04-16
Last Updated: 2014-04-16 13:07:05 UTC
by Johannes Ullrich (Version: 1)
0 comment(s)

Oracle released its quarterly Criticical Patch Update (CPU) yesterday [1]. As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.

Some of the highlights:

CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.

37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".

4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.

[1] http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: oracle patch
0 comment(s)
ISC StormCast for Wednesday, April 16th 2014 http://isc.sans.edu/podcastdetail.html?id=3937
New Feature: Monitoring Certification Revocation Lists https://isc.sans.edu/crls.html
Diary Archives