Oracle Patches 33 Critical Vulnerabilities With January Updates

Oracle Delivers 284 Fixes With January 2019 Critical Patch Update (CPU)

Oracle this week released its first set of security patches for 2019, delivering a total of 284 new security fixes across the company’s product portfolio. 

33 of the fixes address Critical vulnerabilities, with a CVSS score above 9. Of the total vulnerabilities patched this month, 189 may be remotely exploitable without authentication. Many of the fixes address multiple vulnerabilities in the affected products, Oracle reveals.

The newly released Critical Patch Update (CPU) addresses vulnerabilities in products such as Database Server, Communications Applications, E-Business Suite, Financial Services Applications, Fusion Middleware, Java SE, MySQL, PeopleSoft Products, Retail Applications, and Sun Systems Products Suite, among others. 

Fusion Middleware was the product impacted the most, with a total of 62 fixes released for it, 57 addressing remotely exploitable vulnerabilities. Communications Applications came in second, with 33 fixes, 29 for remotely exploitable flaws. 

MySQL and Virtualization received 30 new fixes each, but only few of the issues may be exploited remotely without authentication (3 and 4, respectively). All of the 16 patches for E-Business Suite address remotely exploitable bugs. 

PeopleSoft Products (20 flaws – 15 of which are remotely exploitable), Retail Applications (16 – 15 remotely exploitable), Enterprise Manager Products Suite (11 – 9 remotely exploitable), Sun Systems Products Suite (11 – 5), and Financial Services Applications (9 – all remotely exploitable) were also affected. 

All of the 5 vulnerabilities Oracle addressed in Java SE this month may be remotely exploited without authentication. The risk associated with these flaws, however, is lower if the user does not have administrative privileges on the system. 

Four of the bugs impact deployments in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code and rely on the Java sandbox for security, Oracle reveals. 

This month, Oracle also resolved vulnerabilities in Food and Beverage Applications (6 issues – 3 remotely exploitable), Health Sciences Applications (6 – 2), Supply Chain Products Suite (5 – 4), Insurance Applications (5 – 3), Hospitality Applications (5 – none remotely exploitable), Construction and Engineering Suite (4 – 4), Database Server (3 – 0), JD Edwards (2 – 2), Utilities Applications (2 – 2), Siebel CRM (1 – 1), Support Tools (1 – 1), and Hyperion (1 – 0). 

Oracle recommends applying the newly released Critical Patch Update fixes as soon as possible, to avoid situations where vulnerabilities that have been already addressed are targeted in malicious attacks. Delays in patching could lead to situations where attackers successfully compromise systems. 

Related: Oracle’s October 2018 Update Includes 301 Security Fixes

Related: Critical Vulnerability Patched in Oracle Database