Critical cryptographic Java security blunder patched – update now! – Naked Security

Oracle’s latest quarterly security updates just arrived.

Unlike other software behemoths such as Microsoft, Adobe and Google, who produce official security updates once a month, thus following a schedule that is both regular and frequent, Oracle has historically and resolutely stuck to just four scheduled updates a year.

Even Apple, which notoriously ships all its security updates “when they are ready”, and therefore has no pre-announced calendar that allows you to predict and plan your non-urgent patches, rarely goes much more than a month these days without delivering patches for known security holes.

So, as you can imagine, given Oracle’s huge product portfolio and its comparatively infrequent updates, when patches comethey typically come in large numbers.

This quarter’s updates are no exception, with 174 different products on the “patches available” list, from Engineered Systems Utilitiesthrough Oracle Blockchain Platform and Oracle Secure Backupall the way to Primavera Verifier.

Included in the security fixes listed for those 174 products are 401 distinct CVE-numbered bugs, of which well over half have CVE date tags of 2021 and earlier, with some going all the way back to 2017.

(For all that Oracle’s infrequent updates lead to huge patch lists, the company’s top-level Critical Patch Update Advisory is well-organized, and Oracle’s so-called “risk matrices” – the chief bugs for each product – are easy to find.)

In this article, however, we’re focusing on the bugs in Oracle’s Java productof which seven made the official risk matrix on account of being remotely exploitable without authentication – in other words, they’re bugs that could be exploited from outside your network by someone who has not yet logged in, or who does not have a login in the first place.

Note that remotely exploitable does not mean all these bugs lead directly to remote code executionor RCE, where an outsider could literally implant and run any code they liked, merely that the bugs can be “reached” and abused by attackers who do not yet have a formal foothold inside your network.

Related posts


Latest posts

YouAttest collaborates with JumpCloud to give users access reviews for identity governance

YouAttest announced their product integration with JumpCloud - an open directory platform that gives IT, security...

SLACIP: How to Comply with the SOCI ACT Reforms

On March 31, 2022, the Security Legislation Amendment Critical Infrastructure Protection Act 2022, also known as SLACIP, was passed by the Australian Parliament. ...

Microsoft patches the Patch Tuesday patch that broke authentication – Naked Security

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931which affected the safety of authentication in Windows. Even...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!