Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).

Updates include fixes for Oracle Database Server, Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, Java and several other products. 

The latest Critical Patch Update from the enterprise software giant brings 5 new security fixes for the Oracle Database Server, 2 of which may be remotely exploitable without authentication. Additionally, 22 new security fixes were included for Oracle Fusion Middleware, 21 of these vulnerabilities may be remotely exploitable—also without authentication.

“Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used,” Oracle explained in its advisory.

One vulnerability (CVE-2011-4461) addressed in this CPU dates back to 2011. 

Late last month, Oracle released an update for Java SE to address a serious vulnerability, which SecurityWeek learned was actually another attempt by Oracle to patch CVE-2013-5838, a sandbox escape flaw reported by Poland-based Security Explorations in 2012. Oracle has strongly advised users to apply the fixes, due to the public disclosure of the details.

“There are a few indicators that can help you prioritize which updates to tackle first,” said Chris Goettl, product manager with Shavlik. “For instance, exploit code examples being made available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands. Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”  

“Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month.  With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” Goettl added. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”

The vulnerabilities in April 2016’s Critical Patch Update were scored using CVSS versions 3.0 and 2.0. Future Critical Patch Updates and Security Alerts will be scored using CVSS v3.0 only, Oracle said.

Oracle’s next Critical Patch update is scheduled for July 19.