Oracle closes more than 300 security vulnerabilities

With the July updates Oracle eliminates 342 vulnerabilities in the product portfolio.

With the quarterly updates in July, Oracle eliminates 342 vulnerabilities in its product range including Java, VirtualBox and MySQL.

The software manufacturer Oracle has a Security Patch Day every three months. Due to the extensive product portfolio and the long update cycle, there are usually several hundred vulnerabilities to be fixed. This time there are 342 fixes overall. Some of the vulnerabilities are classified as critical. For the risk classification Oracle uses the industry standard CVSS 3.1 (Common Vulnerability Scoring Standard).

Oracle has fixed most of the security vulnerabilities in Fusion Middleware. Of the 48 vulnerabilities, 35 can be exploited over the network without a user login, seven of which achieve the CVSS score 9.8. Two vulnerabilities are rated 9.9, but they cannot be exploited without registering via the network.

This is followed by the well-known open source database server MySQL, of whose 41 vulnerabilities ten can be remotely exploited and one achieves the very high CVSS score of 9.8. The latest versions of MySQL (MySQL Community Server) are 8.0.26 and 5.7.35. There have been no updates for the version branch 5.6.x since the beginning of the year.

Oracle has fixed four security vulnerabilities in Java SE (Standard Edition). One of these affects Java 7, for which there have only been paid updates since 2015. All can be used over the network without a user login (CVSS maximum value 7.5). The latest Java generation 16, which was only introduced in March 2021, will receive its last update with version 16.0.2 before it will be replaced by Java 17 in September. Java 11, on the other hand, is a so-called LTS (Long Term Support) version and will be provided with updates for eight years - Java 11.0.12 is the latest version.

For users, Java 8 (JRE - Java Runtime Environment) remains relevant, which is provided with security updates available free of charge for private use for an indefinite period of time. Oracle wants to announce the end of support 18 months in advance. Commercial users, on the other hand, have had to pay for these updates since April 2019, but will be provided for them until the end of 2030. The latest version is Java 8 Update 301 (8u301), in which Oracle has fixed three above mentioned loopholes. As a browser extension (JRE plug-in), Java only runs in Internet Explorer 11 and in the Firefox-based browser Waterfox Classic, which, unlike Firefox, still has the old NPAPI interface for plug-ins.

The new version 6.1.24 of the open source virtualization solution VirtualBox is available. Oracle has fixed four vulnerabilities, one of which has a CVSS score of 8.2. One or the other vulnerability could be suitable for breaking out of the virtual machine and executing code on the host system.

about author