As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
Component: Oracle Java SE 7
Sub-Component(s): Java DB, Libraries, Windows DLL, Deployment, JSSE
Patch Number: 27895402
There were 6 new vulnerabilities discovered in Java 7. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some of these vulnerabilities allow unauthenticated attackers with network access via multiple protocols to compromise Java SE. Most of the vulnerabilities are difficult to exploit, some requiring additional human interaction outside of the attacker. While the vulnerabilities are in Java SE, attacks may significantly impact additional products.
Successful attacks can result in:
- unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
- unauthorized ability to cause a partial denial of service of Java SE, Java SE Embedded, JRockit
- unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data
- takeover of Java SE, Java SE Embedded
Some vulnerabilities can be exploited through sandboxed Java Web Start applications and sandboxed Java applets that load and run untrusted code and rely on the Java sandbox for security. They can also be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets. Other vulnerabilities apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, or through supplying data to APIs in the specified component without using the sandboxed Java Web Start applications or sandboxed Java applets.
Component: Oracle WebLogic Server (version(s) 10.3.6.0, 126.96.36.199, 188.8.131.52 and 184.108.40.206)
Sub-Component: Console (jackson-databind), WLS - Web Services, and WLS Core Components
Patch Number: 27919965, 27919943, 27741413, and 27912627 respectively
This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
Component: Oracle Weblogic Server (version(s) 10.3.6.0, 220.127.116.11, 18.104.22.168, and 22.214.171.124.3)
Sub-Component: Sample apps (Spring Framework)
Patch Number: 28168795, 28174808, 28174810, and 28168797 respectively
This easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.