Oracle has released its official July critical update patch. In this patch a record number of 276 vulnerabilities are fixed, which is a large increase from its earlier highest number in January of 248. The patch covers a whopping 84 Oracle products (the full list can be found here), with Oracle Fusion Middleware, E-Business Suite, and Oracle Sun Systems Products Suite containing the greatest number of vulnerabilities. Anything related to Java is also highly exploitable, scoring a CVSS (Common Vulnerability Scoring Standard) 3.0 rating of 9.8.
What is important to note about the vulnerabilities that are covered with July’s Critical Patch Update (or CPU) is that many can be exploited remotely. Not only does an attacker not have to be in physical proximity to the server, but they do not need any authentication prior (i.e. no username or password). The particular attacks that can result from these vulnerabilities include SQL injections, cross-site scripting, and server side request forgery (this was uncovered by Oracle researcher David Litchfield). As this is the case, it is vital that Oracle admins begin the patch as soon as possible.
The issue is that the severity of the security flaws are not enough for some companies to patch immediately. As Oracle themselves state in the patch report, “Oracle continues to… receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes… it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.” The most likely explanation for this occurring is incompetence on the part of security divisions. The labor-intensive nature of massive patches may make a lesser experienced security professional not even bother with fixing the glaring vulnerabilities.
Whatever the case is, this quarterly Critical Patch Update cannot be ignored. The patches should be installed in the order of most critical vulnerabilities and the products with the highest number of security flaws.