Oracle to release fixes for 334 vulnerability patches

News by Robert Abel

Oracle announced it will be releasing a critical patch tomorrow (17 July) which will address 334 security vulnerabilities, the most critical of which having a CVSS 3.0 Base Score of 9.8.

The patch will affect hundreds of products and Oracle and security researchers alike recommend users update their systems as soon as possible to prevent infection.

"Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products," researchers said in the pre-release announcement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible."

One of the updates will address the Database Server Executive Summary that contains three new security fixes for the Oracle Database Server, one of which could be remotely exploited without authentication and affects Core RDBMS, Java VM, and Oracle Spatial.

The updates also will include a new security fix for Oracle Global Lifecycle Management, 14 new security fixes for Oracle Communications Applications, and 11 new security fixes for the Oracle Construction and Engineering Suite.

The Lifecycle Management Risk Matrix is also remotely exploitable without authentication and affects the company's Global Lifecycle Management OPatchAuto.

The update will also address issues in Oracle E-Business Suite, Enterprise Manager Products Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Hyperion, iLearning , Insurance Applications, Java SE, JD Edwards Products, MySQL , PeopleSoft Products, Policy Automation , Retail Applications,  Siebel CRM , Sun Systems Products Suite, Support Tools, Utilities Applications, and Virtualisation.

Some researchers fear these vulnerabilities will affect products for years to come and recognise that due to the scope of the update, many users may prolong updating their systems fearing the downtime the updates may cause.

"Because updating Oracle databases [generally] causes business disruption, people are often slow to make necessary updates," said Allan Liska, threat intelligence researcher at Recorded Future. "We encourage organisations to immediately begin planning for these updates, given the significant risk and low attacker sophistication to find and exploit." 

Liska added that many of the products are deployed on public-facing websites and could mean hundreds of thousands of hosts and organisations that are vulnerable to attack.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews