Enterprise behemoth warns that several pre-auth remote code exec holes need to be pasted over

In its quarterly security updates released today, Oracle said it patched as many as 296 flaws across its enormous line of enterprise software.

In addition to the overview of new licensing terms for Java SE, the April 2019 update comprises fixes for Big Red’s flagship Database, Fusion Middleware, and MySQL lines.

For Java SE, a total of five susceptibilities are addressed, each useable remotely to implement spiteful code without user interaction. Oracle did not say precisely what each flaw would allow, the all-out CVSS is 9.0, usually a score earmarked for remote code implementation without any user interaction.

This announcement also marks the introduction of new licensing requirements for Java SE.

Java SE to remain free

The new Java SE terms will mean very little for a majority of users. According to Oracle, the consumer and developer builds of Java SE will remain free, and business customers who use Java SE as part of another Oracle product will be protected by those licenses.

However, those who aren’t covered may need to attain a new license in order to get the updates, not something you want to be tackling as far as potentially serious security fixes are concerned. When inquired about who will and won’t get the Java SE patches, Oracle referred to its JavaSE roadmap.

“If you are an organization used to getting Oracle Java SE binaries at no cost, you can simply continue doing so with Oracle’s OpenJDK releases available at jdk.java.net. If you are used to getting Oracle Java SE binaries at no cost as a personal user or for development use, then you can continue to get Oracle Java SE releases through java.com (personal users) and the Oracle Technology Network (‘OTN’) (developers),” Oracle said in announcing the new policy.

“Those wishing to use the Oracle JDK or Oracle JRE for other uses will require a Java SE Subscription.”

A good share of the April updates went to Oracle’s Communications Applications lineup, where 26 fixes – 19 remotely useable – were addressed. The E-Business Suite received fixes for 33 remotely-exploitable vulnerabilities, and 35 in all.

MySQL was also a popular target, with 44 flaws in total being addressed. However, the fixes were comparatively minor, as just three of those bugs would be remotely exploitable without verification, and the maximum CVSS score was 6.5 for them.

Leave a Reply

Your email address will not be published. Required fields are marked *