Oracle rolls out more critical patches for troublesome Java

Critical Patch Update fixes 21 bad-news vulnerabilities in Java SE and Java for Business

Oracle has unloaded a hefty package of patches aimed at fixing critical vulnerabilities in Java SE and Java for Business, and Oracle as well as third-party security experts are urging IT admins to deploy the security update immediately.

The majority of the vulnerabilities fixed by the update pertain to the JRE (Java Runtime Environment); these vulnerabilities can be exploited sans authentication, meaning attackers would not have to bother with coming up with a username and password.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

All told, eight of the vulnerabilities had a severity rating of 10 out of 10, two others were rated 7.6, and 4 more carried a rating of 5.0.

According to Oracle, 13 of the 21 vulnerabilities affect Java client deployments, and 12 of those 13 can be exploited via untrusted Java Web Start applications and untrusted Java applets, which run in the Java sandbox with limited privileges. One of the client vulnerabilities affects the Windows-specific Java Update component.

Three of the vulnerabilities affect client and server deployments and may be also be exploited through untrusted applications and applets, as well as by providing data to APIs in specific components through, for example, a Web service.

Another three only affect Java server deployments and can be exploited by supplying malicious data to APIs in the specified Java components. According to Oracle, one of these vulnerabilities was addressed as part of an emergency patch released on Feb. 8.

Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in JRE.

The critical patch update, along with more information, is available at Oracle's website.

More about: etwork, Oracle
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the Computerworld comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Java, open source, oracle, Patch management, security, Security Central, software
Whitepapers
All whitepapers
Sign up now to get free exclusive access to reports, research and invitation only events.
Featured Download
/downloads/product/235/softperfect-network-protocol-analyzer/

SoftPerfect Network Protocol Analyzer

Publisher's notes: SoftPerfect Network Protocol Analyzer is an advanced, professional tool for analyzing, debugging, maintaining and monitoring local networks and Internet connections. It captures the ...

Computerworld newsletter

Join the most dedicated community for IT managers, leaders and professionals in Australia