Oracle has patched hundreds of vulnerabilities in the firm’s quarterly patch update.
On Tuesday, Oracle’s security advisory said the latest Critical Patch Update (CPU) addresses a total of 252 security fixes for hundreds of products.
Oracle Fusion Middleware, Oracle Hospitality, Oracle MySQL, and PeopleSoft have received the most fixes in the latest update.
According to Onapsis, which contributed to many of the reported bugs fixed in the CPU, 182 of the vulnerabilities directly impact business-critical applications, such as the Oracle E-Business Suite.
SQL injection bugs, information disclosure, remote code execution flaws, Persistent Cross Site Scripting (XSS) bugs and denial-of-service issues have been resolved in a number of products.
Java, naturally, has also been bestowed with security patches. A total of 22 vulnerabilities have been addressed, 20 of which are remotely exploitable without authentication. The most severe issue has a CVSS score of 9.6.
On September 22, Oracle released a security alert reminding users that a patch was issued in April for CVE-2017-9805, the Apache Struts vulnerability which impacted the software’s REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13, which can lead to remote code execution when deserializing XML payloads.
The bug is believed to be responsible for the massive Equifax data breach which exposed information belonging to 145.5 million US citizens, alongside UK and Canadian residents.
The list of those who contributed to the latest patch update is vast but includes security researchers from Apple, Onapsis, ERPScan, Flexera Software, and Divergent Security. Onapsis contributed a total of 23 vulnerabilities, while researchers from ERPScan reported a total of 14 bugs.
“Since the July 2017 Oracle CPU, the world has been rocked by Equifax, KRACK, and ROCA, giving new urgency to quickly patching these emerging vulnerabilities,” said Apostolos Giannakidis, security architect at Waratek. “While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws.”
As always, IT admins should apply these patches to systems immediately to reduce the risk of compromise. As we’ve seen with Equifax, a late or forgotten security update can spell utter disaster for a modern-day enterprise.
The next Oracle CPU is expected to land on January 16, 2018.
Previous and related coverage
Former Equifax CEO Richard Smith says the data breach shouldn’t have happened on his watch.
While competitors like Microsoft already offer blockchain as a service, Oracle will argue at OpenWorld that it’s uniquely able to help customers seamlessly integrate the technology with existing applications.
Oracle is shutting down SPARC and Solaris. Good bye, Sun. It was nice knowing you.