The CVSS Base Scores assume the user running a Java applet or Java Web Start application has administrator privileges, which is a common scenario on Windows. If the application is not running with administrator privileges -- more typical on Solaris and Linux -- the CVSS scores drop and the attackers would get only partial control of the targeted system, Oracle said in the advisory.
A separate flaw in the JavaFX subcomponent (CVE-2015-4901), applied to both client and server deployments. It could be exploited through sandboxed Java Web Start applications and Java applets, as well as by supplying data to APIs in the specified Component through a Web service.
Twenty of the vulnerabilities were browser-based. Users should use only the default Java Plug-in and Java Web Start from the latest JDK or JRE 7 and 8 releases, Oracle said.
Oracle recommended that organizations apply the CPU as soon as possible because of the threats, but said it was possible to reduce the risk of successful attack by blocking the network protocol required by the attack. The most severe database vulnerability uses the OracleNET protocol, but it doesn’t make sense to apply this workaround for MySQL, which relies on HTTP. Some of the critical bugs become less severe if certain privileges or access to certain packages are revoked. Since these workarounds can break application functionality, Oracle recommended testing changes on nonproduction systems first.
“Neither approach should be considered a long-term solution as neither corrects the underlying problem,” Oracle said.
Oracle pushes out security fixes for its product portfolio on a quarterly basis. This quarter’s CPU is not significantly different in size from past updates. The July update included fixes for 193 vulnerabilities, while the January update fixed 169 vulnerabilities, The April update was the smallest in 2015, with fixes for 98 vulnerabilities.
Oracle’s next scheduled update is Jan. 19, 2016.
Sign up for Computerworld eNewsletters.