Oracle splats 276 bugs with mammoth Critical Patch Update

In case you missed it, Oracle’s July 2016 Critical Patch Update is out, and it’s bigger than ever before.

It plugs 276 security issues across hundreds of Oracle products, including Oracle Database Server, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

“Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials,” noted Qualys’ Director of Vulnerability Labs Amol Sarwate.

The number of flaws (13) patched in Java SE looks paltry in comparison, but nine of those can be exploited by unauthenticated attackers over the network.

Four received an extremely high CVSS 3.0 score of 9.6 (10 is the highest), and apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Sarwate advises end users to implement those patches at once. He advises the same urgency for database patching teams for the implementation of patches for MySQL and Oracle database server.

“Typically databases are not exposed directly to the internet but as they hold the crown jewels of any organization, we recommend patching immediately,” he explained.

Patches for Oracle’s various servers are mostly included in the Oracle Fusion Middleware update, but web server admins should also turn their attention to updating components like Enterprise Manager Grid Control, E-Business Suite and Supply Chain Products.

“For operating system and networking gear, focus on Solaris and Linux as well as patches for Sun Blade and switches. These are included in the Oracle Sun Systems Products Suite and out of the 34 vulnerability 21 can be exploited without authentication,” Sarwate noted.

For more information about each of the plugged vulnerabilities, a list of all affected products, and direct links to the updates, go here and here.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company pointed out. “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

The next Oracle Critical Patch Update is scheduled for October 18, 2016.