Security Experts:

Connect with us

Hi, what are you looking for?



Oracle Critical Patch Update for October 2016 Fixes 253 Vulnerabilities

Oracle this week released its Critical Patch Update (CPU) for October 2016 to deliver a total of 253 new security fixes across multiple product families, nearly half of which can be exploited remotely without authentication.

Oracle this week released its Critical Patch Update (CPU) for October 2016 to deliver a total of 253 new security fixes across multiple product families, nearly half of which can be exploited remotely without authentication.

Oracle products receiving the largest number of fixes this quarter include Oracle Communications Applications (36 patches), MySQL (31), Fusion Middleware (29), Financial Services Applications (24), and E-Business Suite (21). Oracle Database, Java SE, PeopleSoft, and Retail Applications received patches as well.

At 253 fixes, the October 2016 CPU is the second largest for the year, after the July CPU set a record at 276 patches. This month, Oracle resolved numerous Critical flaws in its products (over a dozen of the vulnerabilities had a CVSS base score above 9), including one vulnerability in the HTTP service of the Oracle E-Business Suite.

The Oracle E-Business Suite was the most affected mission-critical software, with 11 of the 21 resolved vulnerabilities assessed as High risk. What’s more, 14 of these flaws can be exploited remotely without authentication, meaning that an attacker could leverage them over a network without user credentials. The highest CVSS score of the 21 issues is 8.2.

According to ERPScan, a company specialized in securing SAP and Oracle software, the most important of these flaws affects the web server component of Oracle EBS. The bug, remotely exploitable, could allow an unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which could result in denial of service and unauthorized read access to data. The company also reveals that there are around 15000 Oracle HTTP servers exposed to the Internet.

Other mission-critical software that received fixes in the October CPU include Oracle PeopleSoft (11 fixes), D Edwards Security (2 fixes), and Siebel CRM Security (3 fixes). The highest CVSS base score is 8.2.

The most critical issues resolved this month include four bugs with a CVSS score of 9.8: CVE-2015-3253 – affecting the Big Data Discovery component of Fusion Middleware; CVE-2016-3551 – affecting the Web Services component of Fusion Middleware; CVE-2016-5535 – affecting the WebLogic Server component of Oracle Fusion Middleware; CVE-2015-3253 – affecting the Commerce Platform component of Oracle Commerce; and a CVSS score 9.6 flaw – CVE-2016-5582, affecting the Java SE, Java SE Embedded component of Java SE.

Oracle included a total of 7 new security fixes for Java SE in the October 2016 CPU, affecting Java 6, 7, and 8. All of these vulnerabilities could be remotely exploitable without authentication, and three of them have a CVSS score of 9.6. According to Oracle, these vulnerabilities apply to Java deployments in “clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code,” but not to server deployments that load and run only trusted code.

Commenting on the Oracle CPU for October 2016, Waratek CTO John Matthew Holt told SecurityWeek that, because almost all of the vulnerabilities resolved in Java and Java products are remotely exploitable, “any application running on the current or earlier versions of these Java products are or may be susceptible to remote attacks.”

“In particular, two of the Java Platform vulnerabilities affect the JMX (Java Management Extensions) and Networking APIs built into the Java Platform. These two APIs are present and loaded in all but the most trivial Java applications. This means business critical Java applications are operating with known-flawed APIs and should prioritized for patching as quickly as possible,” he says.

Holt also points out that Java-powered WebLogic applications are seriously impacted by the new set of security patches, especially with five different vulnerabilities in WebLogic versions 10 and 12 that can be remotely exploited over HTTP and HTTPS protocols without authentication. These remote exploits are the most worrying, given the ubiquity of HTTP/HTTPS access to Java-powered applications, he says.

“Furthermore, since these are nearly all high-CVSS vulnerabilities, a successful exploit will not only hijack the vulnerable application stack but also expose confidential application data. Customers running critical business applications on Java-powered WebLogic and GlassFish application platforms need to upgrade their application stack urgently to safeguard the security of their application and the confidentiality of their business data,” Holt continues.

However, he also points out that the October CPU is not out of the ordinary when compared to those released in the previous quarters, because high-severity vulnerabilities are identified and patched in the Java software platforms every three months.

ERPScan, on the other hand, underlines the fact that 2016 marked a record patch year for Oracle. At 253 fixes, the October CPU is the second largest compared to July’s 276 patches, while the January CPU draws near with 248 fixes.

“Oracle started this year by releasing a CPU consisting of 248 patches, which immediately made headlines as a record-breaking number of fixes. As of today, this patch update seems to be a game-changing moment. We can assume that the exceeding the two-hundred mark in terms of number of closed issues was not fortuitousness. This seems to be a trend for all sets of patches released in 2016, and only CPU for April 2016 is at odds with it,” Alexander Polyakov, CTO at ERPScan, said.

Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes

Related: Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet