With the first quarterly updates in January 2021 Oracle eliminates 329 vulnerabilities in its product range. In addition to numerous business products, this also includes Java, VirtualBox and MySQL.
Due to the wide product portfolio, there are regularly many vulnerabilities to be filled. On the last CPU day 2020 on October 20, there were 402 vulnerabilities, at the first CPU day 2021 there were 329 vulnerabilities. Many of the plugged vulnerabilities are classified as critical. For the risk classification, Oracle uses the industry standard CVSS 3.1 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. Microsoft has also been providing a CVSS score for some time.
Oracle has fixed most of the vulnerabilities in Fusion Middleware. Of the 60 vulnerabilities, 47 can be exploited via the network without a user login, 15 of which achieve the very high CVSS score of 9.8. Oracle has filled 50 vulnerabilities in its solutions for the financial industry. Of these, 41 can be used over the network without a user login, 13 achieve the CVSS score 9.8. This is followed by the well-known open-source database server MySQL, five of which are plugged in, five of which can be remotely exploited and one of which has a CVSS score of 7.5. The latest MySQL versions are 8.0.23, 5.7.33 and 5.6.51.
Oracle has fixed one security vulnerability in Java SE (Standard Edition). It can be used over the network without a user login (CVSS maximum value 5.3). The latest Java generation 15, introduced in September 2020, is already receiving its last update with version 15.0.2 and will be replaced by Java 16 in March. Java 11 is a so-called LTS (Long Term Support) version and will be provided with updates for eight years - Java 11.0.10 is the latest version. Both Java generations are not affected by the removed vulnerability.
For users, Java 8 (JRE - Java Runtime Environment) remains relevant, which is provided with security updates available free of charge for private use for an indefinite period of time. Oracle wants to announce the end of support 18 months in advance. Commercial users, on the other hand, have had to pay for these updates since April 2019, but will be provided for them until the end of 2030. The latest version is Java 8 Update 281 (8u281), in which Oracle has fixed the one loophole mentioned above. As a browser extension (JRE plug-in), Java only runs in Internet Explorer 11 and in the Firefox-based browser Waterfox, which, unlike Firefox, still has the old NPAPI interface for plug-ins.
The new version 6.1.18 of the open source virtualization solution VirtualBox is available. Oracle has plugged 17 vulnerability, one of which has a CVSS score of 8.2. One or the other vulnerability could be suitable for breaking out of the virtual machine and executing code on the host system. The older version branches 5.x and 6.0.x no longer receive updates - the last ones came on the CPU day in July 2020.