Oracle Company scheduled release of updates to their products (Critical Patch Update), aimed at eliminating critical problems and vulnerabilities. Fixed in the April update .
In issues fixed 5 security issues. All vulnerabilities can be exploited remotely without authentication. One vulnerability specific to the Windows platform CVSS Score 9.0 (CVE-2019-2699), which corresponds to the critical severity level and allows an unauthenticated user over the network to compromise Java SE applications. Two vulnerabilities in the 2D graphics processing subsystem have been rated 8.1 (CVE-2019-2697, CVE-2019-2698). Details have not yet been disclosed.
In addition to issues in Java SE, vulnerabilities have been made public in other Oracle products, including:
- in MySQL (maximum danger level 7.5). The most dangerous problem
() affects the authentication plug-in subsystem. Issues will be fixed in releases . - in VirtualBox, of which 7 are critical (CVSS Score 8.8). Vulnerabilities fixed in updates (In the fact of elimination of security problems is not advertised by the release). Details are not reported, but judging by the level of CVSS, vulnerabilities have been fixed, at the Pwn2Own 2019 competition and allowing you to execute code on the side of the host system from the guest system environment.
allow you to attack the host system from the guest environment.
- on Solaris (maximum severity 5.3 - issues in the IPS package manager, SunSSH, and the lock management service. Issues are fixed in the release
, which also resumed support for the UCB libraries (libucb, librpcsoc, libdbm, libtermcap, libcurses) and the fc-fabric service, updated package versions
ibus 1.5.19, NTP 4.2.8p12,
Firefox 60.6.0esr
BIND 9.11.6
OpenSSL 1.0.2r,
MySQL 5.6.43 & 5.7.25,
libxml2 2.9.9,
libxslt 1.1.33,
Wireshark 2.6.7
ncurses 6.1.0.20190105,
Apache httpd 2.4.38,
perl 5.22.
Source: opennet.ru