Oracle has published a scheduled release of its product updates (Critical Patch Update), aimed addressing critical issues and vulnerabilities. In this July update were eliminated 319 vulnerabilities.
In the Java SE releases 12.0.2, 11.0.4 and 8u221, 10 security issues have been fixed. Among them 9 vulnerabilities that could be remotely exploited without authentication.The highest level of assessed danger was 6.8 (a vulnerability in libpng). There were no problems with a high and critical level of danger, allowing an unauthenticated user to compromise Java SE applications over the network.
“Patches may temporary break application functionality, so Oracle strongly recommends that customers test changes on non-production systems”, — warn in Oracle.
Read also: Microsoft eliminated three major problems with updating Windows 10 version 1903
In addition to problems in Java SE, were discovered vulnerabilities in other Oracle products, namely:
- 43 vulnerabilities in MySQL (maximum danger level 9.8, indicating a critical problem). The most dangerous problem (CVE-2019-3822) related to a buffer overflow in the parsing code for NTLM headers in the libcurl library, which can be used for a remote attack on the MySQL server by an unauthenticated user. Almost all other problems appear only if there is authenticated access to the database. The only exception is a vulnerability in Shell: Admin / InnoDB Cluster, which was evaluated with a severity rating of 7.5. Issues will be fixed in the MySQL Community Server 8.0.17, 5.7.27, and 5.6.45 releases.
- 14 vulnerabilities in VirtualBox, of which 3 are highly hazardous (CVSS Score 8.2 and 8.8). Vulnerabilities are fixed in VirtualBox 6.0.10 and 5.2.32 updates (in the release notes, security troubleshooting is not advertised). Details are not reported, but judging by the CVSS level, have been eliminated vulnerabilities that allow the host system to execute code on the host side;
- 10 vulnerabilities in Solaris (maximum danger 9.1 – IPv6 related vulnerability in the kernel (CVE-2019-5597), allowing remote attack (details not reported). Two vulnerabilities also have a critical level of danger 8.8 as locally exploited problems in the Common Desktop Environment and client utilities for LDAP. Among the problems with the severity level above 7, can be also pointed out remotely exploited vulnerabilities in the ICMPv6 and NFS handlers in the Solaris kernel, and local problems in the file system and Gnuplot.