Oracle released its first batch of security patches this year, fixing 270 vulnerabilities, mostly in business-critical applications. Many of the flaws can be exploited remotely without authentication.
The majority of the fixes are for flaws in business products such as Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server.
E-Business Suite, which is used by companies to store key data and manage a wide range of business processes, accounts for more than 40 percent of the patched vulnerabilities — 121. Out of these, 118 are remotely exploitable and the highest rated one has a score of 9.2 (critical) in the Common Vulnerability Scoring System.
Another 37 vulnerabilities were patched in Oracle Financial Services, 18 in Oracle Fusion Middleware, eight in Oracle Retail Applications, eight in Oracle PeopleSoft and 4 in the Oracle Primavera Products Suite. These products are used across a variety of industries.
The most critical vulnerability, with a CVSS score of 10, was patched in Primavera P6 Enterprise Project Portfolio Management. The vulnerability can be exploited over HTTP and can result in unauthorized creation, deletion or modification of critical data.
Vulnerabilities with a CVSS score of 9.8 were fixed in Oracle WebLogic Server, PeopleSoft Enterprise PeopleTools, JD Edwards EnterpriseOne Tools and Enterprise Manager Base Platform. If left unpatched, these can lead to a complete compromise of the affected systems.
On the database side, 27 vulnerabilities were patched in the widely used MySQL database server and five in the Oracle Database Server and related components. Seventeen vulnerabilities have been fixed in Java.
This is not Oracle’s largest Critical Patch Update (CPU) to date, but comes close to it — the record was 276 fixes in the July 2016 CPU.
Analysts from cybersecurity firm ERPScan point out that Oracle CPUs that exceed 200 patches have become the norm. The average number of fixes per Oracle CPU in 2015 was 153, but in 2016 is was 227, they said in an analysis.
“Oracle updates are huge and touch a wide range of products,” said Amol Sarwate, director of vulnerability labs at Qualys, in a blog post. “As compared to older CPUs this was a regular-sized update but is bound to keep administrators busy due to the sheer number of vulnerabilities and products it touches.”
Oracle releases CPUs on a quarterly basis, the next one being scheduled for April 18th.