by John K. Waters
Oracle’s recently released quarterly Critical Patch Update (CPU) contained 155 new security vulnerability fixes across Oracle’s product lines, including 25 for new Java SE vulnerabilities and 9 affecting the Java Virtual Machine (JVM) in the Oracle Database.
The list of Java vulnerabilities addressed with this CPU includes 20 that affect client-only deployments of Java SE, 2 of which are browser-specific, four that affect client and server deployments of Java SE, and one that affects client and server deployments of the Java Secure Socket Extension (JSSE). Oracle says 22 of the fixes address vulnerabilities that may be remotely exploitable without authentication — an attacker wouldn’t need a user name or password to exploit them over a network.
Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One of the Java SE vulnerabilities (CVE-2014-6513) received the highest CVSS Base Score of 10. Ten others were ranked a 9 or higher, meaning they could allow a complete compromise of the targeted client, though the access complexity to exploit these vulnerabilities is considered “medium.”
CVE-2014-6513 is especially worrying to John Matthew Holt, CTO of Dublin-based Java security vendor Waratek.
“With a 10.0 severity score, [it] is an extremely serious vulnerability affecting the latest versions of Java SE 6, SE 7, and SE 8,” Holt told ADTmag in an e-mail. “It allows a specially crafted image to cause JVM memory corruption, and can be used to execute arbitrary injected code with the JVM’s privileges. In other words, this vulnerability can be used to achieve a complete compromise of the JVM, with full access to data and the execution state of the JVM.”