This week was Oracle’s turn to address vulnerabilities and they took care of 113 security holes across its product base with the release of its Critical Patch Update (CPU) for July.
The CPU includes fixes for 20 flaws affecting Java SE, all of which can end up remotely exploited without authentication. The vulnerabilities have an impact on Java SE subcomponents such as Swing, Serviceability, Deployment, Security, Libraries, JavaFX, Hotspot and JMX. Two of the bugs are in Java SE’s JRockit component. The list of affected versions includes Java SE 6u75, Java SE 7u60, Java SE 8u5.
Despite talk security patches for Java 7 will no longer work on Windows XP, Oracle said that is not true. In fact, Windows XP users will continue to get automatic updates at least until April 2015, when the end of public updates for JDK 7 are available.
“The important point here is that we can no longer provide complete guarantees for Java on Windows XP, since the OS is no longer being updated by Microsoft,” said Henrik Stahl, the vice president of product management at Oracle’s Java Platform Group.
In addition to the Java vulnerabilities, Oracle has also fixed 5 security issues in Oracle Database Server, 29 in Oracle Fusion Middleware, 7 in Oracle Hyperion, 1 in Oracle Enterprise Manager Grid Control, 5 in Oracle E-Business Suite, 3 in the Oracle Supply Chain Products Suite, 5 in Oracle PeopleSoft Products, 6 in Oracle Siebel CRM, 1 in Oracle Communications Applications, 3 in Oracle Retail Applications, 3 in the Oracle and Sun Systems Products Suite, 15 in Oracle Virtualization, and 10 in Oracle MySQL. One of the updates for MySQL Enterprise Server 5.6 includes a fix for the OpenSSL bug called “Heartbleed.”
“As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products,” said Eric Maurice, Oracle’s director of software security assurance in a blog post.