Released alongside patches from Microsoft and Adobe yesterday, Oracle’s regularly scheduled Critical Patch Update fixed 98 issues across a handful of products, including Oracle’s Database, Fusion Middleware, Java SE, and MySQL, to name a few.
One of the most pressing issues the update resolves is a vulnerability (CVE-2015-0457) that affects Oracle Database. If exploited, a remote authenticated user could take full control of the system, cause denial of service conditions, as well as access and modify data. The vulnerability is most troublesome for those running Windows for Database versions prior to 12c as the bug garnered a CVSS Base Score 9.0 for that platform.
Of the 98 issues, the vulnerability is one of four that affects Oracle’s Database product.
Seventeen other issues affect Oracle’s Fusion Middleware, 12 which could be remotely exploited without authentication, including the GHOST vulnerability. After months of waiting, the issue, which affects the GNU libc library and had been previously patched in other Oracle products, was finally patched in Exalogic Infrastructure with this round of updates.
According to Oracle’s Software Security Assurance Director Eric Maurice, who explained more about the CPU in a blog Tuesday, 14 of the 98 fixes correspond to Java SE. 11 of them affect client-only implementations, meaning they can be exploited via sandboxed Java builds. If exploited the bugs could cause the Java Virtual Machine to execute arbitrary code, or lead to a sandbox bypass.
The highest number of fixes affect Oracle MySQL, which saw 26 updates yesterday, including four that are remotely exploitable without authentication.
An array of other products, like the company’s E-Business Suite, Supply Chain Suite, and Commerce Platform were all patched Tuesday too. The full rundown of fixes can be found over at the company’s CPU advisory page.
The update, Oracle’s second of the year, is a far cry from January’s, which saw a whopping 169 vulnerabilities fixed.