Oracle Critical Patch Update for April 2014
Last Updated: 2014-04-16 13:07:05 UTC
by Johannes Ullrich (Version: 1)
Oracle released its quarterly Criticical Patch Update (CPU) yesterday . As usual, the number of patches is quite intimidating. But remember these 104 fixes apply across the entire Oracle product range.
Some of the highlights:
CVE-2014-2406: A bug in Oracle's Database which allows a remotely authenticated user to gain control over the database.
37 new patches for Java SE, 35 of which allow remote execution as the user running the Java Applet (according to Oracle: "The CVSS scores below assume that a user running a Java applet or Java Web Start application has administrator privileges (typical on Windows)".
4 of the Java vulnerabilities have a base CVSS score of 10 indicating not only full remote code execution but also easy exploitability.
Johannes B. Ullrich, Ph.D.
SANS Technology Institute