Oracle released its first quarterly critical patch update (CPU) of the year earlier this week, issuing 169 security fixes for hundreds of its products.
Vulnerabilities in the company's browser plug-in Java received 19 patches, 14 of which could be remotely exploitable without authentication. Four Java bugs were given a common vulnerability scoring system (CVSS) base score of 10.0, the most critical ranking.
Nine other common vulnerabilities and exploits in the CPU had scores of 6.0 or higher.
"Four out of every five identified CVEs in the CPU can be exploited for full or partial sandbox bypass," said John Matthew Holt, chief technology officer at Java application security firm Waratek.
"It is a modern day paradox that Java technology, which rocketed to prominence on the promise of its 'secure sandbox' design, is vulnerable to 16 new sandbox bypasses. That represents one new Java sandbox bypass every 120 hours since the last CPU," Holt said.
Eight vulnerabilities in Oracle database were also addressed in the recent release, including CVE-2014-6567, which received a CVSS base score of 9.0, signaling that a full compromise of a targeted server could be possible on the Windows platform with authentication.
None of the database vulnerabilities could be remotely exploitable without authentication.
Four other database vulnerabilities ranked above a 6.0, and CVE-2014-6577 received a rating of 6.8. If exploited, it could result in a complete confidentiality compromise of the targeted systems on database versions prior to 12c on the Windows platform.
A separate bug (CVE-2015-0393) in E-Business Suite, a popular ERP system among corporate Australia, could have granted administrator privileges to lower-level users.
Perth-based security researcher David Litchfield with Datacom TSS discovered and reported the vulnerability to Oracle this past year. He found it during a review of a client's system and believed it to be a backdoor left behind after a hack.
To Litchfield's surprise, the vulnerability was intentionally inserted into E-Business by Oracle.
On investigation, it turns out the "backdoor" is part of a seeded installation! I was flabbergasted. Still am.— David Litchfield (@dlitchfield) January 19, 2015
In a further write-up of the bug, Litchfield said Oracle “has no documentation for why they did this. This is very concerning.”
Oracle's MySQL received nine fixes, three which could be remotely exploitable without authentication. The most critical bug, CVE-2015-0411, had a base score of 7.5.
The company also issued 29 fixes for its Sun systems products suite, 10 of which could be remotely exploitable without authentication. One bug, CVE-2013-4784, received a 10.0 rating and another, CVE-2014-4259, received a 9.0.