Oracle’s Patch Update

Thursday, October 20, 2016 @ 05:10 PM gHale


Oracle released its Critical Patch Update (CPU) for October fixing 253 vulnerabilities across its product lines.

Oracle products receiving the largest number of fixes this quarter include Oracle Communications Applications (36 patches), MySQL (31), Fusion Middleware (29), Financial Services Applications (24), and E-Business Suite (21). Oracle Database, Java SE, PeopleSoft, and Retail Applications also received patches.

RELATED STORIES
Fixes for MySQL Holes Near
Acrobat, Reader, Flash, Creative Cloud Patched
Microsoft Mitigates 4 Zero Days
Backdoor Hits WTP

At 253 patches, the October 2016 CPU is the second largest for the year, after the July CPU, which had 276 fixes. This month, Oracle resolved numerous Critical flaws in its products (over a dozen of the vulnerabilities had a CVSS base score above 9).

The Oracle E-Business Suite was the most affected mission-critical software, with 11 of the 21 resolved vulnerabilities assessed as High risk. On top of that, 14 of the flaws can end up exploited remotely without authentication, meaning an attacker could leverage them over a network without user credentials. The highest CVSS score of the 21 issues is 8.2.

Another flaw affects the web server component of Oracle EBS. The bug, remotely exploitable, could allow an unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which could result in denial of service and unauthorized read access to data. There are 15,000 Oracle HTTP servers exposed to the Internet.

Other mission-critical software that received fixes in the October CPU include Oracle PeopleSoft (11 fixes), D Edwards Security (2 fixes), and Siebel CRM Security (3 fixes). The highest CVSS base score is 8.2.

The most critical issues resolved this month include four bugs with a CVSS score of 9.8: CVE-2015-3253 – affecting the Big Data Discovery component of Fusion Middleware; CVE-2016-3551 – affecting the Web Services component of Fusion Middleware; CVE-2016-5535 – affecting the WebLogic Server component of Oracle Fusion Middleware; CVE-2015-3253 – affecting the Commerce Platform component of Oracle Commerce; and a CVSS score 9.6 flaw – CVE-2016-5582, affecting the Java SE, Java SE Embedded component of Java SE.

Oracle included seven new security fixes for Java SE, affecting Java 6, 7, and 8. All of these vulnerabilities could be remotely exploitable without authentication, and three of them have a CVSS score of 9.6. These vulnerabilities apply to Java deployments in “clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code,” but not to server deployments that load and run only trusted code, Oracle officials said.



Leave a Reply

You must be logged in to post a comment.