Oracle has released its largest Java security patch to date, according to a company press release. The fix addresses approximately 300 vulnerabilities, including an Apache Struts 2 error hackers used in April to execute multiple system assaults. The patch applies to all Oracle products.
Fixes for multiple vulnerabilities
Most of the updates apply to applications in the company's communications, financial services and retail portfolios, ZDnet reported. Many of these platforms include vulnerabilities that attackers can exploit remotely, putting them at extreme risk. The patch also addresses 39 separate MySQL weaknesses and eight Java vulnerabilities. The aforementioned Apache flaw is the most high-profile Java lapse included. The Apache Software Foundation released an initial patch for the bug back in March but hackers quickly found a workaround in the form of a Metasploit module, according to the IBM Security Intelligence blog. The vulnerability has been at the center of many attacks since. However, attack patterns have changed considerably, CIO reported.
Struts still a problem
In early assaults, cyberthieves leveraged backdoors and Unix bots to break into Struts 2-based open-source frameworks. Post patch, many have switched to ransomware, specifically the Cerber build. This relatively new ransomware is considered impenetrable, as data security specialists have been unable to circumvent its encryption features since it materialized more than a year ago. This of course poses major problems for organizations hosting applications on Struts 2. Hackers collected over $1 billion in ransom using these pernicious programs last year, according to research from the Toronto-based data security firm the Herjavec Group.
"Oracle's latest security patch addresses eight Java vulnerabilities."
Oracle has warned users to apply the latest patch immediately, as putting off the update could compromise system security. The firm also discouraged the use of workarounds and encouraged users to test updated applications before going live. Oracle plans to release its next round of security fixes in July, ZDNet reported.
Java issues persist
Despite these efforts, organizations that continue to rely on Java-based builds are likely to experience problems. Why? Even as companies like Oracle bolster their Java defenses, hackers still find success exploiting programs that use the language, according to recent research from Cisco. Additionally, most of the organizations employing Java run versions that are two or three iterations behind the latest update, further complicating matters. As a result, many plod along with major networking vulnerabilities and, when hackers do strike, recovery takes longer as information technology teams must not only perform threat mitigation activities but also update old Java.