Oracle released the April 2016 Critical Patch Update, which provides fixes for 136 vulnerabilities in 49 products, including Java SE and MySQL, the company’s Database Server and E-Business Suite, its Fusion Middleware, and its Sun Systems Products Suite.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” the company advised.
“There are a few indicators that can help you prioritize what updates you should worry about first. Exploit code examples being available in Metasploit is an easy one. If it is in Metasploit, it is also in the threat actor’s hands. Beyond that things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited,” noted Shavlik’s Chris Goettl, pointing out that vulnerabilities that get the highest CVSS score (10.0) are usually exploited in the wild in less than a month after they have been disclosed and patched.
Therefore he recommends Java SE, MySQL, and Sun Systems Products Suite to be updated before anything else.
For more information about the specific vulnerabilities and patched, check out the advisory accompanying the update.
It’s interesting to note that Oracle is slowly switching to version 3.0 of the Common Vulnerability Scoring Standard (CVSS), which is used as a shorthand for quickly gauging the seriousness of the flaws.
In this update they still ranked the vulnerabilities according to both CVSS 2.0 and 3.0, but will switch to the latter completely in future Security Alerts and Critical Patch Updates (the next CPU is scheduled for 19 July 2016).
The newer scoring standard is supposed to be more accurate than the older one.
ERPScan’s research team posted a good write-up about the Oracle CPU in which they explain the scoring changes succinctly, as well as detail the most critical vulnerabilities fixed in this round of updates.