Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Oracle Critical Patch Update January 2014 - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oracle Critical Patch Update January 2014

Today we also got Oracle's quarterly "Critical Patch Update". As announced, we got a gross or 144 different patches from Oracle. But remember that these patches affect 47 different products (if I counted right).

The product we are overall most worried about is Java. With this CPU, 34 security vulnerabilities are fixed in Java SE. So again: Patch or disable (fast).

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Munich July 2019

Johannes

3553 Posts
ISC Handler
This latest JRE update refuses all self-signed certificate applications
with no easy way to override the behavior.

So we will be staying with JRE 7u45, probably forever. The only
thing we use Java for is KVMoIP console administration. Not
going to spend several days cooking up a complex
exception file. Not going to re-flash the BMC in every server.
No way, no how. For some BMCs no update even exists.

Dumb move by Oracle as I'm sure a lot of folks who would
update to a more secure version will share our attitude
and skip it.
Anonymous

Sign Up for Free or Log In to start participating in the conversation!