News Java SE Patches in Latest Oracle's CPU Mark a 12-Month Low A lot has changed in the Java world in the past year, but Oracle is still issuing its quarterly Critical Patch Updates (CPUs) like clockwork. With 334 new security fixes, the Q3 CPU offers a new two-year high for total Oracle product patches, but a 12-month low for Java SE patches. This CPU includes eight new Java SE patches, which is a 75 percent drop from a 30-month high set in July 2017. "On the surface, the downward trend of Java SE patches would appear to be positive," said James Lee, executive vice president of Dublin-based app security tools provider Waratek, in a statement. "However, this trend may actually be a reflection of the adoption rates of Java SE 9 and 10, since the Java community continues to rely on older versions of Java. With low adoption rates, there are simply fewer users in a position to report bugs in the newest versions of Java." Oracle uses the Common Vulnerability Scoring System … [Read more...] about Java SE Patches in Latest Oracle’s CPU Mark a 12-Month Low — ADTmag
Oracle critical patch updates
The average time from the discovery of a vulnerability to a patch being issued is, for well-supported software, thirty days. In a best-case scenario, cybercriminals have a whole month to make the most of the exploit.Of course, it’s not always a best-case scenario. For example, in 2016, an SAP authentication vulnerability was patched that had first been reported way back in 2012. Any hacker looking to use this vulnerability to gain access to a system had the best part of four years to do so. And some business practices mean that there is much longer between a vulnerability being discovered and a patch being released—Oracle rolls all of its patches into a quarterly Critical Patch update, meaning there are potentially three months from a patch being created until it’s rolled out.The issues aren’t only on the software providers’ side—in fact, the biggest problems can be found with the users and businesses who fail to install patches. This isn’t … [Read more...] about Are ERP patches regular enough to be value for money?
Video: Intel says can't protect all chips vulnerable to Meltdown and Spectre.Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs. Oracle's updates address the Spectre CPU flaws revealed in May, including CVE-2018-3640, also known as Spectre variant 3a, and CVE-2018-3639, Spectre variant 4.The fix for Spectre version 4 needs both software and microcode updates, while fixing Spectre version 3a only requires microcode updates. Oracle has released software-based patches for Oracle Linux and Oracle VM with Intel's microcode updates for x86 hardware. Oracle director of security assurance, Eric Maurice, said the company will release more microcode updates and firmware patches as they become available from Intel. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Oracle has also released updates for Red Hat Compatible Kernel … [Read more...] about Oracle’s latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses
Video: Oracle urges customers to install latest patch: It fixes 254 vulnerabilities.A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data. OAM provides an authentication function for web applications based on Oracle Fusion Middleware. It can be used to provide and block access to external mobile and cloud applications. However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting. As SEC-Consult explains, OAM-protected web servers feature an authentication component called an Oracle WebGate. When users attempt to access a protected resource from the web server, they're bumped across to an OAM page to enter a username and password. If successful, … [Read more...] about Oracle Access Manager security bug so serious it let anyone access protected data
critical patch update for April, offering 254 security fixes across 20 product sets.The database giant said customers should install the update as soon as possible, as attackers continue to attempt to exploit patched vulnerabilities. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," it said.Eric Maurice, Oracle's director of security assurance, said about one third of the security fixes provided are for non-Oracle Common Vulnerabilities and Exposures (CVEs) that is, security fixes for third-party software components that are included in Oracle products. Oracle's January critical patch update provided patches for the Spectre and Meltdown processor vulnerabilities, and the April update includes one further Spectre update (for CVE-2017-5753) for the … [Read more...] about Oracle critical update fixes 254 flaws