Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Oracle Releases 248 Security Fixes

Oracle Critical Patch Update For January 2016 Addresses 248 Vulnerabilities

Oracle’s Critical Patch Update (CPU) for January 2016 was released on Tuesday and brings 248 security fixes across multiple product families.

Oracle Critical Patch Update For January 2016 Addresses 248 Vulnerabilities

Oracle’s Critical Patch Update (CPU) for January 2016 was released on Tuesday and brings 248 security fixes across multiple product families.

Popular software with fixes in the update include Oracle Database, Java SE, and Oracle E-Business Suite, along with many other products.

Fortunately, of the 7 Oracle Database vulnerabilities being addressed this time around, none are remotely exploitable without authentication. However, the updates address 3 vulnerabilities in Oracle GoldenGate, all of which could be remotely exploitable without authentication.

New updates in Oracle’s E-Business Suite help remediate security issues and is intended to help enhance the overall security posture provided by E-Business Suite, the company said.

For Java, Oracle strongly recommended that users to ensure that they are using the most recent version of Java and are advised to remove obsolete Java SE versions from their computers if they are not absolutely needed. 

Late last year, Oracle agreed to settle with the U.S. Federal Trade Commission over charges that it deceived customers about the security of the Java platform. As part of the settlement, Oracle will have to warn users during the Java update process if older versions of the software are present, notify them about the risks, and give them the option to remove the vulnerable application.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the database giant warned. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”

Advertisement. Scroll to continue reading.

Along with the January 2017 CPU, Oracle reminded customers to apply fixes and/or configuration steps that were announced for a Java deserialization vulnerability (CVE-2015-4852) in November 2015, which affected other third-party products, including many from Cisco.  

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible,” Oracle advises. “Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.”

“With 248 fixes it is important that you know what applications you are running within you compan,” said Qualys CTO Wolfgang Kandek. “A complete inventory of your servers and installed software comes in handy to augment a manual application registry that many companies have made mandatory already. Scanning all of your machines will find applications that you were not aware of, plus versions of programs that are outdated and potentially even end-of-life.”

The full details of all vulnerabilities are available in Oracle’s security advisory

RelatedMany Organizations Using Oracle PeopleSoft Vulnerable to Attacks

*Updated with commentary from Qualys

Written By

For more than 15 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.