Oracle Admins Faced with 270 Fixes this Quarter

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
Oracle has released its first quarterly security advisory for the year and it’s one of the biggest ever, fixing a whopping 270 vulnerabilities.

The firm made it clear admins should prioritize this update as soon as possible:

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

Over 100 (42%) of the patches are slated to fix issues in the Oracle E-Business Suite, 97% of which are remotely exploitable without authentication. This reflects a growing trend of vulnerabilities moving away from Oracle’s database and Java SE product sets, according to ERPScan.

Some 16 of the 270 fixes relate to flaws with a CVSS score of 9 to 10, meaning admins should jump on these fast.

The most critical of these is a CVSS 10-rated bug (CVE-2017-3324) in Primavera P6 Enterprise Project Portfolio Management software, which could allow an unauthenticated attacker to create, delete or modify business critical data.

Also ranked as requiring urgent attention are a CVSS 9.8 bug (CVE-2017-3248) in Oracle’s Oracle WebLogic Server; another (CVE-2016-6303) in PeopleSoft Enterprise PeopleTools; one (CVE-2016-6303) in JD Edwards EnterpriseOne Tools; and a vulnerability (CVE-2016-5019) in Enterprise Manager Base Platform.

Over the past five quarterly patch updates, only one has fixed fewer than 200 bugs. The record number of vulnerabilities still stands at 276, with the update issued in July last year.

The next update comes on 18 April, according to Oracle.
 

soccer97

Level 11
Verified
May 22, 2014
517
Yes, their Quarterly patch schedule. IMHO it should be at least every 2 months. Leaving that many Vulnerabilities would make me reevaluate the use of that product.....

If anyone is using Java (JRE or SE) - an updated version was released today). It is a product of Oracle.
 
  • Like
Reactions: Zero Knowledge

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
849
Oracle make insecure software. 270 bugs fixes? Is that a joke? 100+ being RCE?

For a multi-billion dollar software company they have no idea about security. They also obviously don't have a internal testing team.

Sadly VirtualBox has been the only decent software they have made for years.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top