技术控

    今日:126| 主题:49289
收藏本版 (1)
最新软件应用技术尽在掌握

[其他] Oracle puts out 253 fixes and a request to please apply patches NOW!

[复制链接]
雾里雾气 发表于 2016-10-20 02:09:15
97 0

立即注册CoLaBug.com会员,免费获得投稿人的专业资料,享用更多功能,玩转个人品牌!

您需要 登录 才可以下载或查看,没有帐号?立即注册

x

Oracle puts out 253 fixes and a request to please apply patches NOW!-1 (successful,therefore,available,customers,products)

  Better go make a fresh pot of coffee and pull up a seat: Oracle’s put out a bonanza of a patch dump, offering 253 fixes for 76 products.
  Of those, 15 are critical, with a Common Vulnerability Scoring System (CVSS) score of 9.0 or over. Some allow complete system compromise over HTTP.
   In its short-form advisory , Oracle also passed on a “please will you fix these things immediately” message, saying that it’s seeing successful attacks on systems that customers didn’t get around to patching.
  It’s serious about this. Italics and bold formatting provided courtesy of Oracle:
   Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay .
  The fixes apply to Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
   According to Oracle’s more verbose drill-down , the worst of the worst bugs make it possible to compromise Oracle Big Data Discovery, Oracle Web Services, Oracle Commerce or WebLogic over HTTP.
   As far as Java goes, February ushered in Oracle’s welcome and overduekilling off of its notoriously insecure Java browser plug-in, but of course death in the browser didn’t kill Java everywhere.
  Hence, the current bug crop includes fixes for serious Java vulnerabilities.
  Two of them allow “unauthenticated attacker with network access via multiple protocols to compromise Java SE.”
  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.
  Oracle Database Server

  One of the critical bugs, rated 9.1, hints at a vulnerability in the OJVM component of Oracle Database Server, including versions 11.2.0.4 and 12.1.0.2. Oracle says this “easily exploitable vulnerability” allows an attacker with a high level of privileges to Create Session and to Create Procedure privilege with network access via multiple protocols to compromise OJVM.
  An attack can spread from there:
  While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM.
  Oracle Fusion Middleware

  Another critical bug – it’s rated 9.8 – can lead to an attacker taking over Oracle Big Data Discovery analytics piece of Oracle’s Fusion Middleware, in the Data Processing subcomponent. The affected versions are 1.1.1, 1.1.3 and 1.2.0.
  This one comes over HTTP and is also “easily exploitable”. It gives unauthenticated attackers to come in via HTTP to compromise Oracle Big Data Discovery or take it over completely.
  Fusion has plenty of other headaches: another 9.8-rated, easily exploited and critical bug is in the Oracle WebLogic Server component, in versions 10.3.6.0, 12.1.3.0 and 12.2.1.0. That one will let unauthenticated attackers come in over HTTP to compromise or hijack Oracle WebLogic Server.
  Oracle Virtualization

  Like your virtual desktops? Another bug, rated 8.2, affects the Sun Ray thin client.
  It’s easily exploitable, and unauthenticated attackers with network access via SSL/TLS can mess with the Sun Ray operating system to cause those desktops to hang. It can also allow attackers to inflict a repeated Denial of Service (DoS) on them.
  Everything else

  Other Oracle products affected by this update include PeopleSoft Enterprise PeopleTools, JD Edwards EnterpriseOne Tools, and, well, a whole lot more.
   Follow @NakedSecurity
  Follow @LisaVaas
友荐云推荐




上一篇:江湖微分销系统:超级卖货神器震撼来袭 开创微信营销新篇章! ...
下一篇:Semi-hosting on ARM with Rust
酷辣虫提示酷辣虫禁止发表任何与中华人民共和国法律有抵触的内容!所有内容由用户发布,并不代表酷辣虫的观点,酷辣虫无法对用户发布内容真实性提供任何的保证,请自行验证并承担风险与后果。如您有版权、违规等问题,请通过"联系我们"或"违规举报"告知我们处理。

*滑动验证:
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

我要投稿

推荐阅读

扫码访问 @iTTTTT瑞翔 的微博
回页顶回复上一篇下一篇回列表手机版
手机版/CoLaBug.com ( 粤ICP备05003221号 | 文网文[2010]257号 )|网站地图 酷辣虫

© 2001-2016 Comsenz Inc. Design: Dean. DiscuzFans.

返回顶部 返回列表