April 15, 2015 Coman Hamilton
Oracle’s announces last critical patch update for Java 7, while exposing a number of remotely executable security threats for Java applications.
Today’s critical patch update from Oracle has revealed a major vulnerability to JRE/JDK versions, whereby an attacker can gain remote access to a Java application without a username or password. This applies to all versions of Java that have not applied the latest quarterly patch.
The April 2015 collection of 98 patches covers a number of security vulnerabilities across a range of Oracle products including Java SE, the MySQL Suite and the Oracle Database Server.
14 of the 98 fixes are for Oracle Java SE, three of which have been ranked with the highest possible vulnerability (10.0) in the Common Vulnerability Scoring System (CVSS). Oracle states that the other vulnerabilities “can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets”. However there are still 14 JRE and JDK vulnerabilities that can be remotely exploitable over a network without authentication, says Waratek CTO John Matthew Holt.