Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).

Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).

Updates include fixes for Oracle Database Server, Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, Java and several other products. 

The latest Critical Patch Update from the enterprise software giant brings 5 new security fixes for the Oracle Database Server, 2 of which may be remotely exploitable without authentication. Additionally, 22 new security fixes were included for Oracle Fusion Middleware, 21 of these vulnerabilities may be remotely exploitable—also without authentication.

“Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used,” Oracle explained in its advisory.

One vulnerability (CVE-2011-4461) addressed in this CPU dates back to 2011. 

Late last month, Oracle released an update for Java SE to address a serious vulnerability, which SecurityWeek learned was actually another attempt by Oracle to patch CVE-2013-5838, a sandbox escape flaw reported by Poland-based Security Explorations in 2012. Oracle has strongly advised users to apply the fixes, due to the public disclosure of the details.

“There are a few indicators that can help you prioritize which updates to tackle first,” said Chris Goettl, product manager with Shavlik. “For instance, exploit code examples being made available in Metasploit is an easy one.  If it is in Metasploit, it is also in the threat actor’s hands. Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”  

“Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month.  With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” Goettl added. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”

The vulnerabilities in April 2016’s Critical Patch Update were scored using CVSS versions 3.0 and 2.0. Future Critical Patch Updates and Security Alerts will be scored using CVSS v3.0 only, Oracle said.

The full details of all vulnerabilities are available in Oracle’s security advisory

Oracle’s next Critical Patch update is scheduled for July 19.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet