Oracle Dishes Out 270 Patches In SecondBiggest Security Update Ever

Sam Pudwell,

Business applications receive the bulk of the patches as quarterly updates continue to grow

Oracle has kicked off 2017 with its largest Oracle Critical Patch Update (CPU) ever, fixing 270 vulnerabilities across a range of products and services.

This follows on from its October update – which was previously its biggest with 253 vulnerabilities fixed – and the record July update which comprised 276 patches.

This quarter’s CPU includes patches for more than 100 vulnerabilities that could previously be exploited by a remote attacker, most commonly over the HTTP protocol.

Oracle patch featured

Patched up

“The focus has shifted from Database and Java SE to critical business applications,” an ERPScan blog post explains. “This quarter’s CPU contains numerous patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server.

About 58 percent (158) of all of the patch updates close vulnerabilities in the aforementioned products”

According to Qualys, 20 percent of the patches are related to financial applications, followed by Oracle applications and MySQL with 18 percent and 15 percent respectively.

At the other end of the scale, both Sun Solaris and Virtual Box received four patches apiece, while the Oracle database received just 2.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the company says.

“In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

It has been a busy couple of months for Oracle, with the company acquiring domain name service provider Dyn, pledging £1.1bn for computer science education in the EU and announcing a new London cloud region.

The only dark spot has been the resignation of senior executive George Polisner after co-CEO Safra Catz confirmed her support of President-elect Donald Trump.

Quiz: Test your knowledge of Oracle’s history, software and controversies