Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

Oracle fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update on Tuesday afternoon.

Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.

The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.

Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable. The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.

Nineteen vulnerabilities across nine different products fetch a CVSS 3.0 rating of 9.8, the most critical vulnerability rating this quarter.

While Oracle is encouraging its customers to apply the fixes as soon as possible, users will want to prioritize the update if they’re running one of the nine affected pieces of software: Oracle Fusion Middleware, Supply Chain Products, Oracle Communications Applications, Oracle Health Sciences, Oracle Retail Applications, Oracle Sun Systems Products Suite, and Oracle Virtualization. All 19 bugs are remotely exploitable without authentication, meaning an attacker wouldn’t need a username or password to exploit them, according to Oracle’s advisory.

It wouldn’t be an Oracle CPU without patches for perennial whipping boy Java. This quarter’s update includes 13 patches for Java SE, nine of which are remotely exploitable without authentication. Users running Java SE version(s) 6u115, 7u101, 8u92, or Java SE Embedded, version(s) 8u92, are affected.

Noted researcher David Litchfield, a skilled Oracle bug hunter, uncovered nearly 10 percent of the vulnerabilities, 27 bugs, including a mix of SQL injections, cross-site scripting vulnerabilities, and server-side request forgery attacks.

Litchfield outlined the bugs via .PDF documents on Tuesday.

Among them were a slew of XSS flaws in Oracle Primavera, project management software that’s usually used in industries such as engineering, construction, aerospace and other fields. Litchfield discovered that via arbitrary HTML/script that doesn’t use parentheses or a .write clause an attacker could bypass a XSS filter designed to protect users against exploitation in the software.

One of the scariest sounding vulnerabilities he found exists in Agile, Oracle’s Product Lifecycle Management Database. The vulnerability could allow a user Index Privileges on SYS tables, something that could allow them to execute as SYS and allow “complete compromise of the database.”

Litchfield also described a series of SQL injections in eBusiness Suite, a XSS and SSRF flaw in Apex, and XSS vulnerabilities in Oracle Business Intelligence Enterprise Edition.

Considering the sheer number of vulnerabilities, experts on Tuesday said it’s likely admins will have their plates full with this quarter’s patches.

“Oracle systems are complex and multi-component, not speaking about numerous customizations every company usually has,”Alexander Polyakov, CTO at ERPScan, a company that helps companies secure Oracle enterprise resource planning (ERP) systems, “So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches.”

Suggested articles


  • deijmaster on

    Just wondering... Do we still need these kinds of posts in 2016? Patching is important, but should it make news... still?
    • Frank on

      I think it could be argued it should when it's 276 patches. That's a lot of vulnerabilities! Attackers clearly focusing on Oracle stuff more these days.
  • Bob on

    This is what you need to see if you're a security professional, which I am. If you're a security tourist wannabe who just likes knowing about the train wrecks to tell your friends about, then no. I have seldom seen where there was a hack that was possible when systems were properly patched. Sure, maybe close to a zero-day, but still. Now if you don't have some skin in the game son, then go to CNN and wait for the cute stories. But the rest of us, we're all in and have total commitment to our field. If we don't know about this stuff from somewhere, we're out of a job. I go to bed every night with 200 servers out there on the internet and 5000 dumb employees opening e-mails and god knows how many thousands of hackers trying to screw me across the world. Welcome to the security profession.
  • Raaz on

    Ameen..!!! Bob, i am so with you especially dealing with the very issues you describe and this is why we need to know these things so that we know how to better protect users and their information. If someone doesn't like this post then maybe they are on the wrong website.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.