Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).
Updates include fixes for Oracle Database Server, Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, Java and several other products.
The latest Critical Patch Update from the enterprise software giant brings 5 new security fixes for the Oracle Database Server, 2 of which may be remotely exploitable without authentication. Additionally, 22 new security fixes were included for Oracle Fusion Middleware, 21 of these vulnerabilities may be remotely exploitable—also without authentication.
“Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used,” Oracle explained in its advisory.
One vulnerability (CVE-2011-4461) addressed in this CPU dates back to 2011.
Late last month, Oracle released an update for Java SE to address a serious vulnerability, which SecurityWeek learned was actually another attempt by Oracle to patch CVE-2013-5838, a sandbox escape flaw reported by Poland-based Security Explorations in 2012. Oracle has strongly advised users to apply the fixes, due to the public disclosure of the details.
“There are a few indicators that can help you prioritize which updates to tackle first,” said Chris Goettl, product manager with Shavlik. “For instance, exploit code examples being made available in Metasploit is an easy one. If it is in Metasploit, it is also in the threat actor’s hands. Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”
“Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month. With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” Goettl added. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”
The vulnerabilities in April 2016’s Critical Patch Update were scored using CVSS versions 3.0 and 2.0. Future Critical Patch Updates and Security Alerts will be scored using CVSS v3.0 only, Oracle said.
The full details of all vulnerabilities are available in Oracle’s security advisory.
Oracle’s next Critical Patch update is scheduled for July 19.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- ‘No Evidence’ of Cyberattack Related to FAA Outage, White House Says
- SecurityWeek to Host 2022 ICS Cybersecurity Conference October 24-27 in Atlanta
- Google Completes $5.4 Billion Acquisition of Mandiant
- Cybersecurity Firm ZeroFox Begins Trading on Nasdaq via SPAC Deal
- HUMAN Security and PerimeterX Merge on Mission to Combat Bots
- Last Call: CFP for ICS Cybersecurity Conference Closes July 15th
- Johnson Controls Acquires Tempered Networks to Shield Buildings From Cyberattacks
- Snowflake Launches Cybersecurity Workload to Find Threats Across Massive Data Sets
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
