Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Oracle Critical Patch Update for Q3 2015 (Includes Java Updates) - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Oracle Critical Patch Update for Q3 2015 (Includes Java Updates)

On Tuesday, Oracle released it's Quarterly Critical Patch Update or "CPU" for short. As usual, this release covers a long list of different products, and is too large to summarize in a diary. Oracle patched a total of 154 vulnerabilities. Here are some of the "highlights" :

Java:

Of course, Java is always getting a lot of attention as it has probably the largest user base among Oracle's products. This time, Oracle is patching 25 Java flaws. All vulnerabilities can be exploited via Java Web Start applications, but only 5 apply to Java running on servers. 7 of the vulnerabilities have the highest CVSS score of "10" (none of these can be exploited on server side code).

Sun Systems:

The "Integrated Lights Out Manager" (ILOM) receives a patch that fixes a remote code execution vulnerabilities with a base CVSS score of 10. Comparable "IPMI" interfaces suffered from numerous vulnerabilities in the past, and Oracle does the right thing by advising users to not expose these interfaces to public networks.

OpenSSL

Various Oracle components use OpenSSL, and this patch includes OpenSSL related updates for MySQL, Oracle Enterprise Manager and Oracle Supply Chain Products.

According to Oracle, there is no evidence that any of these vulnerabilities has been exploited so far. The next update will be released in January.

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS Security West 2019

Johannes

3509 Posts
ISC Handler
Title correction. Q3 2015, not Q1 2015.
Anonymous
Thanks! fixed the title
Johannes

3509 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!