However, three of the eight vulnerabilities were rated as critical, with CVSS scores of 10.0. The severity assumes that the user running a Java applet or Java Web Start application has administrator privileges, which is a typical scenario on Windows systems. The CVSS score drops to 7.5 if the user does not have administrator privileges, a scenario more commonly found on Solaris and Linux systems.
Two of the critical flaws, in Java's 2D component (CVE-2016-0494) and in Java's AWT (CVE-2015-8126), can only be exploited through sandboxed Java Web Start applications and Java applets. The other AWT bug (CVE-2016-0483) also applies to server-side Java deployments. Attackers can potentially exploit the bug by supplying data through a Web service, "and should be looked at by your server team," Kandek said.
Oracle "strongly recommends" that customers remain on actively supported versions and apply Critical Patch Update fixes without delay. Of the 16 updates addressing issues in Solaris 11, four could be exploited remotely without authentication. Also worrying, eight of them could result in an attacker gaining complete control over the system. Unsupported Solaris 11.x versions should be upgraded to a supported release or patch set.
None of the vulnerabilities appear to be under active exploitation, but that doesn't mean administrators can take their time with patching. Attackers frequently target vulnerabilities even after patches have been released because they know everyone doesn't patch promptly.
Sign up for CIO Asia eNewsletters.