Oracle admins are today staring down the barrel of the biggest quarterly Critical Patch Update ever.
The numbers are gory: 308 vulnerabilities patched, 165 of which are remotely exploitable, across more than 90 products. So far in 2017, Oracle has patched 878 vulnerabilities through three CPUs.
System and network admins have never been taxed from a patching perspective as they have this year. On the Windows side, Microsoft has overhauled its security bulletins, replacing them with cumbersome Security Update Guides. Windows admins have had to deal with critical updates for the SMB bug used by WannaCry and ExPetr, including out-of-band patches for XP and other unsupported versions of Windows. WannaCry and ExPetr exposed how much the industry still struggles and lags with patching.
Now Oracle’s mammoth update today must be contended with; it tops April’s record patch count of 300.
“Since the April 2017 Oracle CPU, the world has been rocked by global malware attacks that exploit well-known flaws that have readily available fixes,” said John Matthew Holt, CTO of Warwatek in a statement. “Overburdened and under-resourced security teams simply cannot apply physical patches fast enough to stay ahead of the attackers.
“Businesses continue to rely on legacy applications that can’t be patched or upgraded, creating yet another avenue of attack,” Holt said. “Now this CPU introduces a new range of flaws for hackers to try to exploit before cyber professionals can plug the holes over the coming months (or year).”
Oracle E-Business Suite accounts for more than 120 of the vulnerabilities addressed in the update, 118 of which are remotely exploitable. Onapsis disclosed details on one of the flaws it privately reported to Oracle in the suite that allows attackers to download sensitive business documents and configuration files without authentication.
The E-Business Suite was by far the most scrutinized product in today’s CPU.
Oracle Fusion Middleware and Java SE addressed a much more reasonable 18 and 17 vulnerabilities respectively, but 16 flaws in each product are remotely exploitable.
Seven Fusion Middleware bugs have a CVSS score of at least 8.6, with three remotely exploitable flaws in Oracle Outside In Technology, Tuxedo and WebLogic Server rated at 9.8.
Three Java SE, Java SE Embedded and JRockit vulnerabilities rated a score of at least 9.0; all are remotely exploitable and affect multiple versions of the respective software.
Oracle also patched 37 vulnerabilities in the Oracle Financial Services Applications suite, 14 of those being remotely exploitable. Four bugs in the Oracle FLEXCUBE component rate a CVSS score of at least 8.1, but only one of those is remotely exploitable.
Also worth noting are five patches in the Oracle Database Server, three of which are remotely exploitable in the Oracle Secure Backup and Oracle Big Data Graph components included with the server.