Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).

Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).

Updates include fixes for Oracle Database Server, Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, Java and several other products. 

The latest Critical Patch Update from the enterprise software giant brings 5 new security fixes for the Oracle Database Server, 2 of which may be remotely exploitable without authentication. Additionally, 22 new security fixes were included for Oracle Fusion Middleware, 21 of these vulnerabilities may be remotely exploitable—also without authentication.

“Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used,” Oracle explained in its advisory.

One vulnerability (CVE-2011-4461) addressed in this CPU dates back to 2011. 

Late last month, Oracle released an update for Java SE to address a serious vulnerability, which SecurityWeek learned was actually another attempt by Oracle to patch CVE-2013-5838, a sandbox escape flaw reported by Poland-based Security Explorations in 2012. Oracle has strongly advised users to apply the fixes, due to the public disclosure of the details.

“There are a few indicators that can help you prioritize which updates to tackle first,” said Chris Goettl, product manager with Shavlik. “For instance, exploit code examples being made available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands. Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”  

“Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month.  With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” Goettl added. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”

The vulnerabilities in April 2016’s Critical Patch Update were scored using CVSS versions 3.0 and 2.0. Future Critical Patch Updates and Security Alerts will be scored using CVSS v3.0 only, Oracle said.

The full details of all vulnerabilities are available in Oracle’s security advisory

Oracle’s next Critical Patch update is scheduled for July 19.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.