Oracle Warns Users Of Critical Security Flaws

Oracle has fixed nearly 300 bugs, many of them high-risk, across its range of products, urging administrators to apply the patches quickly due to the risk of active exploitation.

The 297 patches were issued by Oracle this week in its quarterly Critical Patch Update, following a January 2019 update that fixed 284 issues and a October 2018 release that addressed 301 vulnerabilities.

The company said users’ systems are often left vulnerable to issues that have already been fixed due to delays in applying patches.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the firm said.  “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

Remote exploitation

Oracle’s Fusion Middleware products had 53 issues addressed, with 42 being bugs that could be exploited remotely over a network without authentication.

The update applied 35 patches to the Oracle E-Business Suite, with 33 being remotely exploitable, while Oracle Communications Applications was affected by 26 bugs, 19 of which could be exploited remotely.

Oracle’s retail applications had 24 issues fixed, with Oracle Database Server being affected by six, and Java SE affected by five.

Oracle MySQL alone was affected by 45 security flaws, four being remotely exploitable without authentication.

Attack threat

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said.

Details on some of the issues have already been made public, with Google’s Project Zero, for instance, having published proof-of-concept exploit code for two of the five Java SE flaws, tracked as CVE-2019-2697 and CVE-2019-2698.

Microsoft’s vulnerability research team and others also contributed to the 106 flaws reported to Oracle by third-party researchers.

The next two quarterly updates are scheduled for 16 July and 15 October.

Oracle has promoted its cloud-based applications to users as, in part, being more secure due to the automatic application of patches each quarter, saying last year patches were installed “much sooner than most manually operated databases”.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Intel Celebrates As EU Court Strikes Down 2009 Antitrust Fine

Twelve year legal battle sees EU court grant Intel's appeal against $1.2 billion EU antitrust…

6 hours ago

US Commerce Dept Warns Of Severe Chip Shortages

Some manufacturers have less than 5 days supply of computer chips, putting US manufacturing at…

7 hours ago

The Future of Consumer Tech in Business

As consumer and business technologies continue to merge, and as businesses transform into post-pandemic enterprises,…

8 hours ago

IMF Urges El Salvador To Drop Bitcoin As Legal Tender

South American country El Salvador urged to reconsider its decision to adopt Bitcoin as legal…

11 hours ago

Google Sued For ‘Deceptive’ Location Tracking Practices

Four attorneys general in the US are suing Google for allegedly misleading users about when…

13 hours ago