Oracle recently released a Critical Patch Update (CPU) for July. What sets this Oracle Critical Patch Update apart from others is the incredible amount of vulnerabilities that are being patched. In total, according to the advisory released by the company, Oracle has patched 334 vulnerabilities with 61 of these receiving critical scores on the Common Vulnerability Scoring System (CVSS).
Oracle had this to say in their advisory on the July Critical Patch Update:
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
Due to the vast number of patches, it is impossible to cover them all in this article, however, some things stick out. Firstly, the patches heavily affect Oracle’s business applications such as E-Business Suite, the MySQL database, Siebel CRM, and the Fusion middleware. Such patches involve issues ranging from unauthenticated user attacks resulting in access to critical data (CVE-2018-2944) to arbitrary code injection caused by a binary payload (CVE-2017-5645). Other patches worth mentioning include (CVE-2018-3100), which allows for attackers to exploit the Oracle Business Process Management Suite component of Oracle Fusion Middleware to create, delete, or modify critical data.
Many of the patched vulnerabilities were uncovered by independent researchers or other parties outside of Oracle. In its report on the Oracle Critical Patch Update, Kaspersky Lab’s Threatpost stated that 43 independent researchers and “analysts from Apple, GE, Google, Pulse Security, Trend Micro, Secunia, and others” were credited by Oracle for reporting the issues. Oracle has a ton of business-critical software affected by these patches and it would be horrible to imagine the damage done if the vulnerabilities had never been found.
It is of some concern that Oracle had such glaring issues in such large quantities to begin with, but at least there are solutions that must be implemented as soon as possible.
Featured image: Pixabay