Last Updated: 2015-10-21 13:27:34 UTC
by Johannes Ullrich (Version: 1)
On Tuesday, Oracle released it's Quarterly Critical Patch Update or "CPU" for short. As usual, this release covers a long list of different products, and is too large to summarize in a diary. Oracle patched a total of 154 vulnerabilities. Here are some of the "highlights" :
Of course, Java is always getting a lot of attention as it has probably the largest user base among Oracle's products. This time, Oracle is patching 25 Java flaws. All vulnerabilities can be exploited via Java Web Start applications, but only 5 apply to Java running on servers. 7 of the vulnerabilities have the highest CVSS score of "10" (none of these can be exploited on server side code).
The "Integrated Lights Out Manager" (ILOM) receives a patch that fixes a remote code execution vulnerabilities with a base CVSS score of 10. Comparable "IPMI" interfaces suffered from numerous vulnerabilities in the past, and Oracle does the right thing by advising users to not expose these interfaces to public networks.
Various Oracle components use OpenSSL, and this patch includes OpenSSL related updates for MySQL, Oracle Enterprise Manager and Oracle Supply Chain Products.
According to Oracle, there is no evidence that any of these vulnerabilities has been exploited so far. The next update will be released in January.