Security Experts:

Oracle's Critical Patch Update for July Contains Record Number of Fixes

Oracle HQ

Oracle Addresses 276 Security Flaws, 19 Critical in Critical Patch Update (CPU) For July 2016

Oracle on Tuesday released its Critical Patch Update (CPU) for July 2016 to address a total of 276 vulnerabilities across multiple products, including 19 critical security flaws that have a CVSS score of 9.8.

This month’s Oracle CPU contains a record number of fixes, after the January 2016 set of patches established another one, at 248 security fixes. More worrying than the sheer number of addressed vulnerabilities is that 159 can be exploited remotely without authentication.

Overall, the July CPU addresses 36 security issues in applications designed specifically for the Retail, Insurance, Health, Financial, and Utility industries. However, with 4 remotely exploitable vulnerabilities without authentication in sector-specific products, the Retail industry appears to have been affected the most.

A total of 121 vulnerabilities were addressed in crucial business applications from Oracle, namely E-Business Suite, Fusion Middleware, PeopleSoft, Retail Applications, Oracle JD Edwards, Supply Chain Products, and Database Server. Of the total 121 flaws, 71% can be exploited remotely without authentication, ERPScan points out.

Fusion Middleware is the most affected Oracle product, with 39 resolved vulnerabilities, 35 of which can be exploited remotely without authentication. Next in line is the Oracle Sun Systems Products Suite with 34 bugs, 21 of which can be exploited without authentication. Supply Chain with 27 vulnerabilities, E-Business Suite with 23, and MySQL with 22 flaws round up the top five most affected products.

According to Amol Sarwate, director of engineering at Qualys, these 22 MySQL bugs, along with 9 issues resolved in Oracle database server, are what database patching teams should be focusing on. Moreover, Sarwate notes that, even if databases aren’t typically exposed directly to the Internet, organizations should apply the new patches as soon as possible.

The most critical updates in Oracle’s July 2016 CPU are for Java SE, where 9 out of the 13 addressed issues can be compromised remotely over the network, Sarwate also says.

These critical bugs have high-severity CVSS Scores between 7.0 and 10.0, and some of them are vulnerabilities in the HotSpot JVM internals, meaning that customers need to apply the Java CPU patches as soon as possible, John Matthew Holt, Java security expert and Waratek CTO, explains.

With a CVSS score of 9.6 and affecting Java SE 7 and/or Java SE 8, CVE-2016-3587 and CVE-2016-3606 are in the lead. CVE-2016-3550, which affects the HotSpot JVM internals for Java SE versions 6, 7, and 8 is on the list too, though with a much lower severity, given its CVSS score of 4.3.

“In circumstances where immediate physical patching is not feasible, organizations should apply virtual patching to provide immediate, interim security controls. Also, organizations should be actively planning for the frequency and depth of security fixes to increase in the years ahead,” Holt also says.

The most important of the 19 vulnerabilities with a CVSS score of 9.8 patched this month include CVE-2016-3510, affecting the Oracle WebLogic Server component of Oracle Fusion Middleware; CVE-2015-7182, found in Oracle Directory Server Enterprise Edition; CVE-2016-3493, in the Hyperion Financial Reporting component of Oracle Hyperion; CVE-2015-3253, in the Oracle Health Sciences Clinical Development Center component of Oracle Health Sciences Applications; and CVE-2016-3613, in the Oracle Secure Global Desktop component of Oracle Virtualization.

The full details on the addressed vulnerabilities are available in Oracle's security advisory.

Earlier this year, Oracle reissued a patch for CVE-2013-5838, a flaw in Java supposedly resolved in the October 2013 CPU. This serious Java sandbox escape vulnerability was initially revealed in 2012, and researchers discovered this year that the previous patch for it could be easily bypassed.

Related: Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

view counter