Critical Java Patches Coming Tuesday

Oracle has announced that it will issue Critical Patch Update for Java SE next Tuesday, June 7.  The update will contain 17 new security fixes for serious vulnerabilities: according to Oracle,

All these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

These versions of Java are affected by this update:

  • JDK and JRE 6 Update 25 and earlier for Windows, Solaris, and Linux
  • JDK and JRE 5.0 Update 29 and earlier for Windows, Solaris and Linux
  • SDK and JRE 1.4.2_31 and earlier for Windows, Solaris and Linux

As many vendors do, Oracle rates the severity of vulnerabilities using the Common Vulnerability Scoring System [CVSS], which ranks vulnerabilities on a scale of 0 to 10, where 10 is most severe, based on a number of factors.  The maximum rating for the vulnerabilities to be fixed in this update is 10.0.   (Oracle has a page describing their use of CVSS.   The Forum of Incident Response and Security Teams [FIRST] has, on its site, a very thorough description of CVSS )

Because of the severity of these vulnerabilities, and the popularity of Java as an attack vector, I recommend you install these updates as soon as you can, after they are released next Tuesday.  This assumes, of course, that you have Java installed on your system; see this post for a discussion of whether you should keep it there.

One Response to Critical Java Patches Coming Tuesday

  1. […] announced last week, Oracle today released a new version of the Java SE environment, version 6 update 26, for Windows, […]

%d bloggers like this: