July 2014 Critical Patch Update Released
By Eric P. Maurice on Jul 15, 2014
Hello, this is Eric Maurice.
Oracle today released the July 2014 Critical Patch Update. This Critical Patch Update provides 113 new security fixes across a wide range of product families including: Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, Oracle Java SE, Oracle Linux and Virtualization, Oracle MySQL, and Oracle and Sun Systems Products Suite.
This Critical Patch Update provides 20 additional security fixes for Java SE. The highest CVSS Base Score for the Java vulnerabilities fixed in this Critical Patch Update is 10.0. This score affects a single Java SE client vulnerability (CVE-2014-4227). 7 other Java SE client vulnerabilities receive a CVSS Base Score of 9.3 (denoting that a complete compromise of the targeted client is possible, but that that access complexity to exploit these vulnerabilities is “medium.”) All in all, this Critical Patch Update provides fixes for 17 Java SE client vulnerabilities, 1 for a JSSE vulnerability affecting client and server, and 2 vulnerabilities affecting Java client and server. Oracle recommends that home users visit http://java.com/en/download/installed.jsp to ensure that they run the most recent version of Java. Oracle also recommends Windows XP users to upgrade to a currently-supported operating system. Running unsupported operating systems, particularly one as prevalent as Windows XP, create a very significant risk to users of these systems as vulnerabilities are widely known, exploit kits routinely available, and security patches no longer provided by the OS provider.
This Critical Patch Update also includes 5 fixes for the Oracle Database. The highest CVSS Base Score for these database vulnerabilities is 9.0 (this score affects vulnerability CVE-2013-3751)).
Oracle Fusion Middleware receives 29 new security fixes with this Critical Patch Update. The most severe CVSS Base Score for these vulnerabilities is 7.5.
Oracle E-Business Suite receives 5 new security fixes with this Critical Patch Update. The most severe CVSS Base Score reported for these vulnerabilities is 6.8.
Oracle Sun Systems Products Suite receive 3 new security fixes with this Critical Patch Update and one additional Oracle Enterprise Manager Grid Control fix is applicable to these deployments. Fixes that exist because of the dependency between individual Oracle product components are listed in italics in the Critical Patch Update Advisory. These bugs are listed in the risk matrices of the products they initially exist in, as well as in the risk matrices of the products they are used with. The most severe CVSS Base Score for these Oracle Sun Systems Products Suite vulnerabilities is 6.9.
As a reminder, Critical Patch Update fixes are intended to address significant security vulnerabilities in Oracle products and also include code fixes that are prerequisites for the security fixes. As a result, Oracle recommends that this Critical Patch Update be applied as soon as possible by customers using the affected products.
For More Information:
The July 2014 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance.
Java home users can detect if they are running obsolete versions of Java SE and install the most recent version of Java by visiting http://java.com/en/download/installed.jsp