ARN

Oracle rolls out more critical patches for troublesome Java

Critical Patch Update fixes 21 bad-news vulnerabilities in Java SE and Java for Business

Oracle has unloaded a hefty package of patches aimed at fixing critical vulnerabilities in Java SE and Java for Business, and Oracle as well as third-party security experts are urging IT admins to deploy the security update immediately.

The majority of the vulnerabilities fixed by the update pertain to the JRE (Java Runtime Environment); these vulnerabilities can be exploited sans authentication, meaning attackers would not have to bother with coming up with a username and password.

[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ]

All told, eight of the vulnerabilities had a severity rating of 10 out of 10, two others were rated 7.6, and 4 more carried a rating of 5.0.

According to Oracle, 13 of the 21 vulnerabilities affect Java client deployments, and 12 of those 13 can be exploited via untrusted Java Web Start applications and untrusted Java applets, which run in the Java sandbox with limited privileges. One of the client vulnerabilities affects the Windows-specific Java Update component.

Three of the vulnerabilities affect client and server deployments and may be also be exploited through untrusted applications and applets, as well as by providing data to APIs in specific components through, for example, a Web service.

Another three only affect Java server deployments and can be exploited by supplying malicious data to APIs in the specified Java components. According to Oracle, one of these vulnerabilities was addressed as part of an emergency patch released on Feb. 8.

Finally, one of these vulnerabilities is specific to Java DB, a component in the Java JDK, but not included in JRE.

The critical patch update, along with more information, is available at Oracle's website.

Nominations for the 2012 ARN IT Industry Awards open on Tuesday, June 12.

More about: etwork, Oracle
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the ARN comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Java, open source, oracle, Patch management, security, Security Central, software
ARN Directory | Distributors relevant to this article
Aquion , Avnet Technology Solutions
ARN Directory | Vendors relevant to this article
Oracle
rhs_login_lockGet exclusive access to ARN's news, research and invitation only events.
ARN Distributor Directory
Find distributors by name | vendor | location
Channel Deals
/deals/avg/349_protect-your-android-phones-with-avg
AVG (AU/NZ) Pty Ltd

Protect your Android Phones with AVG Mobilation

More details »
ARN Vendor Directory
Find vendors by name | category

iAsset is a channel management ecosystem that automates all major aspects of the entire sales,marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.