Oracle admins are today staring down the barrel of the biggest quarterly Critical Patch Update ever.
The numbers are gory: 308 vulnerabilities patched, 165 of which are remotely exploitable, across more than 90 products. So far in 2017, Oracle has patched 878 vulnerabilities through three CPUs.
System and network admins have never been taxed from a patching perspective as they have this year. On the Windows side, Microsoft has overhauled its security bulletins, replacing them with cumbersome Security Update Guides. Windows admins have had to deal with critical updates for the SMB bug used by WannaCry and ExPetr, including out-of-band patches for XP and other unsupported versions of Windows. WannaCry and ExPetr exposed how much the industry still struggles and lags with patching.
Now Oracle’s mammoth update today must be contended with; it tops April’s record patch count of 300.
“Since the April 2017 Oracle CPU, the world has been rocked by global malware attacks that exploit well-known flaws that have readily available fixes,” said John Matthew Holt, CTO of Warwatek in a statement. “Overburdened and under-resourced security teams simply cannot apply physical patches fast enough to stay ahead of the attackers.
“Businesses continue to rely on legacy applications that can’t be patched or upgraded, creating yet another avenue of attack,” Holt said. “Now this CPU introduces a new range of flaws for hackers to try to exploit before cyber professionals can plug the holes over the coming months (or year).”
Oracle E-Business Suite accounts for more than 120 of the vulnerabilities addressed in the update, 118 of which are remotely exploitable. Onapsis disclosed details on one of the flaws it privately reported to Oracle in the suite that allows attackers to download sensitive business documents and configuration files without authentication.
The E-Business Suite was by far the most scrutinized product in today’s CPU.
Oracle Fusion Middleware and Java SE addressed a much more reasonable 18 and 17 vulnerabilities respectively, but 16 flaws in each product are remotely exploitable.
Seven Fusion Middleware bugs have a CVSS score of at least 8.6, with three remotely exploitable flaws in Oracle Outside In Technology, Tuxedo and WebLogic Server rated at 9.8.
Source: ThreatPost