Oracle Critical Patch Update For January 2016 Addresses 248 Vulnerabilities
Oracle’s Critical Patch Update (CPU) for January 2016 was released on Tuesday and brings 248 security fixes across multiple product families.
Popular software with fixes in the update include Oracle Database, Java SE, and Oracle E-Business Suite, along with many other products.
Fortunately, of the 7 Oracle Database vulnerabilities being addressed this time around, none are remotely exploitable without authentication. However, the updates address 3 vulnerabilities in Oracle GoldenGate, all of which could be remotely exploitable without authentication.
New updates in Oracle’s E-Business Suite help remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite, the company said.
For Java, Oracle strongly recommended that users to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed.
Late last year, Oracle agreed to settle with the U.S. Federal Trade Commission over charges that it deceived customers about the security of the Java platform. As part of the settlement, Oracle will have to warn users during the Java update process if older versions of the software are present, notify them about the risks, and give them the option to remove the vulnerable application.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the database giant warned. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”
Along with the January 2017 CPU, Oracle reminded customers to apply fixes and/or configuration steps that were announced for a Java deserialization vulnerability (CVE-2015-4852) in November 2015, which affected other third-party products, including many from Cisco.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” Oracle advises. “Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”
"With 248 fixes it is important that you know what applications you are running within you compan," said Qualys CTO Wolfgang Kandek. "A complete inventory of your servers and installed software comes in handy to augment a manual application registry that many companies have made mandatory already. Scanning all of your machines will find applications that you were not aware of, plus versions of programs that are outdated and potentially even end-of-life."
The full details of all vulnerabilities are available in Oracle's security advisory.
*Updated with commentary from Qualys