It’s about that time of year when Oracle release their quarterly security patches, and this time there are over 250 fixes spanning over 76 products.
In fact, there are a total of 253 patch fixes from which 15 have a Common Vulnerability Scoring System (CVSS) score of 9.0 or over, meaning they are critical updates. Oracle Big Data Discovery, Oracle Web Services, Oracle Commerce or WebLogic are areas that are more likely to be compromised by the worst of bugs according to the verbose patch dump explainer.
Not just that, there are also a pair of Java vulns that allows an unauthenticated attacker whom has network access, to compromise Java SE. Hackers that are most successful flourish when there is human interaction present, other than the attacker themselves. Although the attack is within Java SE, other products/ systems are also vulnerable to attack which could lead into complete takeover the Java SE environment.
The OJVM component with Oracle Database Server is another product that cares a critical bug which is rated at 9.1 on the CVSS. This bug effects Oracle Database versions 11.2.0.4 and 12.1.0.2 and is easily exploited by high level attackers having Create Session and Create Procedure privileges to compromise OJVM. Again these attacks carry the venin to make large disruptions to other products with your suite, which can potentially result in the takedown of OJVM.
Those of you using Oracle Database must know that the Application Express component of your environment is most at risk from attackers that have access to networks via HTTP; and anyone still using the Sun Ray thin client caper, there’s a rather large bug rated at 8.2 to tend to. But fear not as these are all taken care of in this release.
As you can imagine, there is an endless list of bugs that have been found during this process and the 253 patches that have been released are there to ensure that these fixes amend any issues you as an end user might be experiencing.
If you feel that you need help understanding these patches or anything around Oracle’s quarterly release, please get in touch and one of our Oracle Database experts or specialist DBA’s will be able to talk you through it.