Security Experts:

Connect with us

Hi, what are you looking for?



Oracle’s Critical Patch Update for July Contains Record Number of Fixes

Oracle HQ

Oracle HQ

Oracle Addresses 276 Security Flaws, 19 Critical in Critical Patch Update (CPU) For July 2016

Oracle on Tuesday released its Critical Patch Update (CPU) for July 2016 to address a total of 276 vulnerabilities across multiple products, including 19 critical security flaws that have a CVSS score of 9.8.

This month’s Oracle CPU contains a record number of fixes, after the January 2016 set of patches established another one, at 248 security fixes. More worrying than the sheer number of addressed vulnerabilities is that 159 can be exploited remotely without authentication.

Overall, the July CPU addresses 36 security issues in applications designed specifically for the Retail, Insurance, Health, Financial, and Utility industries. However, with 4 remotely exploitable vulnerabilities without authentication in sector-specific products, the Retail industry appears to have been affected the most.

A total of 121 vulnerabilities were addressed in crucial business applications from Oracle, namely E-Business Suite, Fusion Middleware, PeopleSoft, Retail Applications, Oracle JD Edwards, Supply Chain Products, and Database Server. Of the total 121 flaws, 71% can be exploited remotely without authentication, ERPScan points out.

Fusion Middleware is the most affected Oracle product, with 39 resolved vulnerabilities, 35 of which can be exploited remotely without authentication. Next in line is the Oracle Sun Systems Products Suite with 34 bugs, 21 of which can be exploited without authentication. Supply Chain with 27 vulnerabilities, E-Business Suite with 23, and MySQL with 22 flaws round up the top five most affected products.

According to Amol Sarwate, director of engineering at Qualys, these 22 MySQL bugs, along with 9 issues resolved in Oracle database server, are what database patching teams should be focusing on. Moreover, Sarwate notes that, even if databases aren’t typically exposed directly to the Internet, organizations should apply the new patches as soon as possible.

The most critical updates in Oracle’s July 2016 CPU are for Java SE, where 9 out of the 13 addressed issues can be compromised remotely over the network, Sarwate also says.

These critical bugs have high-severity CVSS Scores between 7.0 and 10.0, and some of them are vulnerabilities in the HotSpot JVM internals, meaning that customers need to apply the Java CPU patches as soon as possible, John Matthew Holt, Java security expert and Waratek CTO, explains.

With a CVSS score of 9.6 and affecting
Java SE 7 and/or Java SE 8, CVE-2016-3587 and CVE-2016-3606 are in the lead. CVE-2016-3550, which affects the HotSpot JVM internals for Java SE versions 6, 7, and 8 is on the list too, though with a much lower severity, given its CVSS score of 4.3.

“In circumstances where immediate physical patching is not feasible, organizations should apply virtual patching to provide immediate, interim security controls. Also, organizations should be actively planning for the frequency and depth of security fixes to increase in the years ahead,” Holt also says.

The most important of the 19 vulnerabilities with a CVSS score of 9.8 patched this month include CVE-2016-3510, affecting the Oracle WebLogic Server component of Oracle Fusion Middleware; CVE-2015-7182, found in Oracle Directory Server Enterprise Edition; CVE-2016-3493, in the Hyperion Financial Reporting component of Oracle Hyperion; CVE-2015-3253, in the Oracle Health Sciences Clinical Development Center component of Oracle Health Sciences Applications; and CVE-2016-3613, in the Oracle Secure Global Desktop component of Oracle Virtualization.

The full details on the addressed vulnerabilities are available in Oracle’s security advisory.

Earlier this year, Oracle reissued a patch for CVE-2013-5838, a flaw in Java supposedly resolved in the October 2013 CPU. This serious Java sandbox escape vulnerability was initially revealed in 2012, and researchers discovered this year that the previous patch for it could be easily bypassed.

Related: Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet