Oracle Warns Users Of Critical Security Flaws

Matthew Broersma,
oracle

The firm fixed nearly 300 bugs across its products, saying many were at risk of being actively exploited

Oracle has fixed nearly 300 bugs, many of them high-risk, across its range of products, urging administrators to apply the patches quickly due to the risk of active exploitation.

The 297 patches were issued by Oracle this week in its quarterly Critical Patch Update, following a January 2019 update that fixed 284 issues and a October 2018 release that addressed 301 vulnerabilities.

The company said users’ systems are often left vulnerable to issues that have already been fixed due to delays in applying patches.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the firm said.  “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

oracleRemote exploitation

Oracle’s Fusion Middleware products had 53 issues addressed, with 42 being bugs that could be exploited remotely over a network without authentication.

The update applied 35 patches to the Oracle E-Business Suite, with 33 being remotely exploitable, while Oracle Communications Applications was affected by 26 bugs, 19 of which could be exploited remotely.

Oracle’s retail applications had 24 issues fixed, with Oracle Database Server being affected by six, and Java SE affected by five.

Oracle MySQL alone was affected by 45 security flaws, four being remotely exploitable without authentication.

Attack threat

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said.

Details on some of the issues have already been made public, with Google’s Project Zero, for instance, having published proof-of-concept exploit code for two of the five Java SE flaws, tracked as CVE-2019-2697 and CVE-2019-2698.

Microsoft’s vulnerability research team and others also contributed to the 106 flaws reported to Oracle by third-party researchers.

The next two quarterly updates are scheduled for 16 July and 15 October.

Oracle has promoted its cloud-based applications to users as, in part, being more secure due to the automatic application of patches each quarter, saying last year patches were installed “much sooner than most manually operated databases”.