Provider of one of the most notoriously weak programming platforms ever invented (Java), Oracle have revealed a whole slew of updates ready and rearing to go for nearly all of their available products in both the consumer and enterprise markets.
Announced in the monthly Critical Patch Update, the package contained a total of 104 different fixes covering a swathe of various Oracle products that had fallen prey to the OpenSSL exploit Heartbleed, which continues to wreak havoc just over one week into its original discovery.
Everything from elevation of privilege flaws to data disclosure and remote administration capabilities were easily felled by the bountiful bug, tearing a hole through software applications like Hyperion, PeopleSoft, and several former packages used by Sun.
Risks for Java rated especially high on the company’s personal risk matrix, topping out at nine and 10 between the 35 vulnerabilities that made up the pile of patches which were neatly packaged together and shipped out to all versions, all builds, and all operating systems en masse this morning.
“In April 2014, a vulnerability affecting certain versions of the OpenSSL cryptographic software library was publicly disclosed. For the purpose of this Note, this vulnerability will be referred by its CVE number: CVE-2014-0160.
The Oracle Global Product Security and Development teams are investigating the use of the affected OpenSSL cryptographic libraries in Oracle products and will provide mitigation instructions when available for these affected Oracle products.”
Another 37 ranked in the top-tier of the self-published barometer, considered “critical fixes” that should be applied immediately by any sysadmins who depend on the aforementioned languages to maintain the system architecture of their servers. Middleware was another major concern for the company, informing Fusion users that this update was of particular value to anyone who used their gatekeeping software as a waypoint between central servers and the endpoint.
There were also several other repairs released for MySQL Sever, Siebel CRM, and the Oracle Virtualization suite which were unrelated to the Heartbleed breach, but still contained critical bugs which could be remotely exploited by anyone with prior knowledge of their existence.