Oracle’s Critical Patch Update (CPU) for April 2016 was released on Tuesday, bringing 136 security fixes across multiple product families. Many of the vulnerabilities addressed in the update are remotely exploitable, with seven carrying a rating of a 10.0 using the Common Vulnerability Scoring System (CVSS).
Updates include fixes for Oracle Database Server, Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, Java and several other products.
The latest Critical Patch Update from the enterprise software giant brings 5 new security fixes for the Oracle Database Server, 2 of which may be remotely exploitable without authentication. Additionally, 22 new security fixes were included for Oracle Fusion Middleware, 21 of these vulnerabilities may be remotely exploitable—also without authentication.
“Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. The exposure of Oracle Fusion Middleware products is dependent on the Oracle Database version being used,” Oracle explained in its advisory.
One vulnerability (CVE-2011-4461) addressed in this CPU dates back to 2011.
Late last month, Oracle released an update for Java SE to address a serious vulnerability, which SecurityWeek learned was actually another attempt by Oracle to patch CVE-2013-5838, a sandbox escape flaw reported by Poland-based Security Explorations in 2012. Oracle has strongly advised users to apply the fixes, due to the public disclosure of the details.
“There are a few indicators that can help you prioritize which updates to tackle first,” said Chris Goettl, product manager with Shavlik. “For instance, exploit code examples being made available in Metasploit is an easy one. If it is in Metasploit, it is also in the threat actor’s hands. Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”
“Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month. With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” Goettl added. “I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”
The vulnerabilities in April 2016’s Critical Patch Update were scored using CVSS versions 3.0 and 2.0. Future Critical Patch Updates and Security Alerts will be scored using CVSS v3.0 only, Oracle said.
The full details of all vulnerabilities are available in Oracle’s security advisory.
Oracle’s next Critical Patch update is scheduled for July 19.

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.
More from Mike Lennon
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- Virtual Event Today: Supply Chain & Third-Party Risk Summit
- Ferrari Says Ransomware Attack Exposed Customer Data
- Webinar Today: How to Build Resilience Against Emerging Cyber Threats
- Make Your Picks: Cyber Madness Bracket Challenge Starts Today
- Cyber Madness Bracket Challenge – Register to Play
- Watch Sessions: Ransomware Resilience & Recovery Summit
- Webinar Today: Entering the Cloud Native Security Era
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
