Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update

oracle critical security update

Oracle will detail 405 new security vulnerabilities Tuesday, part of its quarterly Critical Patch Update Advisory.

Oracle admins are staring down the barrel of a massive quarterly Critical Patch Update that includes 405 patches.

Business software giant Oracle Corp. revealed 286 of those vulnerabilities are remotely exploitable across nearly two dozen product lines.

Impacted with multiple critical flaws, rated 9.8 CVSS in severity, are 13 key Oracle products including Oracle Financial Services Applications, Oracle MySQL, Oracle Retail Applications and Oracle Support Tools, according to the company’s April Critical Patch Update Pre-Release Announcement, posted Monday.

Each of the bugs will be addressed with mitigation advice or patches by Oracle on Tuesday, coinciding with Microsoft’s April’s Patch Tuesday release of fixes. That will keep system and network admins taxed with a flood of critical vulnerabilities to contend with.

Oracle’s Fusion Middleware alone is reporting 49 “vulnerabilities [that] may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials,” according to the bulletin.

Oracle said in total, its Fusion Middleware family of software has 56 new security patches affecting nearly 20 related services, including Identity Manager Connector (v. 9.0), Big Data Discovery (v. 1.6) and WebCenter Portal (v.,,

The mammoth update also includes medium-severity flaws for its Java Platform, Standard Edition (Java SE), use for developing and deploying Java applications. Fifteen bugs, with an CVSS rating of 8.5, are remotely exploitable by an unauthenticated attacker over a network – no user credentials required.

Details of the Java SE bugs, along with technical insights and mitigation guidance for all 405 flaws, will be available Tuesday.

Oracle also patched 34 critical vulnerabilities in the Oracle Financial Services Applications suite, 14 of those being remotely exploitable. Forty-five bugs in Oracle MySQL were identified, nine being remotely exploitable with a CVSS rating of 9.8.

Oracle’s popular Database Server line had just nine security bugs, two are remotely exploitable and have a CVSS rating of 8.0. As with many other Oracle products impacted by flaws this quarter, Oracle said none of the Database Server bugs “are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.”

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles