Oracle's April patch update fixes 1 3 6 vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62201674040
Type myhack58
Reporter 佚名
Modified 2016-04-25T00:00:00


This week,Oracle Corporation in this quarterly critical vulnerabilities to repair program,to fix the present in 4 of 6 different products in 1 3 6 vulnerabilities. Which has more than half of the vulnerabilities(a total of 7 2)have been a corresponding CVE number,these vulnerabilities can in no authenticated case is the attacker

! Oracle also for a range of products for the repair,including Oracle Database Server,Oracle E-Business Suite,Fusion Middleware middleware products,and earlier Sun Microsystems product line,for example the Java SE platform and MySQL database. With the products related to upgrade and repair the program has been on Tuesday the start time to the majority of users push. This update is the Company 2 0 1 6 in the second batch fixes,with Oracle the company the traditional patch update,this fixes number of vulnerabilities have been greatly reduced. And in January of this year vulnerability remediation plan,Oracle Corporation to fix the number of vulnerabilities up to 2 4 8. Which has seven vulnerabilities exist in the Java SE,JRockit,Oracle's Unix operating system, Solaris,and MySQL server,these vulnerability ratings are 1 0. 0,This also means that these vulnerabilities all are high-risk vulnerabilities. Oracle also warned,an attacker can in no authenticated case,for all of these vulnerabilities for remote use. This means,the attacker may not need a user name and password of the case,the invasion of the target system,and implement the attack. The Oracle company represents,all of the product line will be in this weeks to receive the Update Patch of push notifications,which for the Oracle MySQL database to update the patch number of a total of 3 1,occupy the total number of for the most part,and wherein there are four vulnerability can be an attacker remote use. Oracle Fusion Middleware middleware product comprising a second number of bug-fix patches,a total of 2 2,and 2 1 A vulnerabilities may be remotely exploitable. In order to provide more accurate vulnerability risk assessment,Oracle also on the generic vulnerability assessment system for the upgrade version(CVSS v. 3. Of 0). The new version of the system test results show that,from a technical point of view,now there is no rating 1 0. 0 system vulnerabilities. The CVSS system,i.e.,“the Common Vulnerability scoring system”,this system was born in the 2 0 0 7 years. It is the information security industry of an open standard,can be designed to measure the severity of the bugs,and help secure the art to determine the desired reaction degree of urgency and degree of importance. CVSS is the security content automation Protocol(SCAP)is part of the CVSS is usually with the CVE together by the U.S. National vulnerability database(NVD)publish and maintain data updates. Its main purpose is to help people establish a measure of vulnerability severity criteria,such that people can compare the severity of the bugs,which determine the processing of their priority. CVSS Score is based on a series of dimensions on the measurement results,these measurement dimensions is called a measure(Metrics). Vulnerability the final score of a maximum of 1 0,the minimum is 0. Score 7 to 1 0 of vulnerability is often considered a high-risk vulnerability,score between 4~6.9 is between the intermediate vulnerability,from 0 to 3.9 is low vulnerability. Oracle company says,use v3. 0 version of the system,The Art has been on the CVSS base scoring system re-calibration. Whether it is a Solaris system vulnerability,or in a MySQL database vulnerabilities,now that the basic rating is 9. 8,but the Java SE in the vulnerability rating has been rising. In v2. 0 system,only seven of the vulnerabilities are marked as high-risk vulnerabilities,but in v3. 0 system,a total of 1 7 a vulnerability rating of more than 9. 0,This also means that there are a total of 1 7 a vulnerability is marked as a LEGO-risk vulnerabilities. Previously,Cloud Security vendors NopSec the company had in its publication of the latest vulnerability in the study challenged the common security vulnerability scoring system(CVSS)the accuracy of,and on social media indicates they may be critical vulnerabilities that provide better indicators. Strictly speaking,the CVSS Score is not representative of a specific event can occur probability. It is only representative of the company is the invasion probability of success. 2 0 1 5 years, 6 months,V3. 0 version of the CVSS system for the first time available. For Oracle security researchers are concerned,this took three years to develop out of the system is a landmark of progress. Oracle security expert Polyakov on Wednesday to accept Threatpost in an interview:“I am very pleased to be able to witness the vulnerability rating system of progress and change,and previously for the CVSS v2. 0 The question the sound of many,many people have begun to doubt v2. 0 system of scoring accuracy. For example,most commercial vulnerability management software to CVSS as the basis,and therefore the respective companies perceive the vulnerability of the perspective is usually from the CVSS score. Although the CVSS in the rapid vulnerability prioritization and screening of the vulnerability effect is remarkable,its sorting speed is often also based on the needs of the enterprise for which the localization configuration. This also means that,many manufacturers will be based on the vulnerability scoring system gives results to decide whether the need for a vulnerability for fast response,and accuracy became a company in decision-making when problems need to be considered. Now,this system has also been updated,accuracy has been greatly improved,the previous version problems also get resolved.”