Oracle has just issued one of the most critical patches in its history, aimed at fixing 308 different vulnerabilities affecting the company’s products.
By definition, a critical patch update is a series of measures intended to solve multiple security issues.
While they are certainly very common for a software company, the sheer number of vulnerabilities targeted in this patch update is a first for Oracle.
Security Wake Up Call
Recent malware attacks have increased the awareness of companies and organizations everywhere for the need to secure digital data.
Protecting important and sensitive data should be of paramount importance for businesses and private individuals alike.
Sadly, the various security teams responsible for producing software patches are unable to apply them fast enough.
Many have pointed out that this is happening due to the fact that these teams are constantly swamped with work and haven’t been given enough resources to do their job properly.
However, more and more companies are now focusing their energy and money towards building and maintaining solid software security departments.
Different Types of Flaws
Amongst the 308 vulnerabilities in the recent patch update, nearly 30 of them have been defined as critical. Most had a CVSS score rating ranging between 9 and 10, with only one bug being rated with a score of 10.
Even more concerning was the fact that over half of the bugs targeted by the critical patch update could be remotely exploited without the need for any sort of authentication process.
Oracle has fixed over 878 vulnerabilities across three critical patch updates this year alone.
Going by the recent update, it looks like more and more security flaws are occurring, and this doesn’t seem to be stopping anytime soon.
It topped the previous record held by April’s patch, which targeted 300 vulnerabilities.
The need to fix these issues is especially critical in today’s times due to increasing reports of hacking across the world.
The different security flaws in question are spread across 22 Oracle products, such as Oracle Database Server, Oracle Enterprise Manager, iLearning, MySQL Product Suite, Oracle Fusion Middleware, Java SE, Oracle Commerce, Linux and Virtualization, Fusion Applications, Primavera, and more.
One vulnerability being targeted was a critical document download bug in the E-Business Suite. It allows attackers to gain access to protected data without the need for a valid user account.
This bug was found by Juan Perez-Etchegoyen, who is the CTO of cybersecurity solutions firm Onapsis.
According to an Onapsis press release, exploitation of this bug may allow attackers the ability to retrieve data stored in the database.
As a result, the cyber attack would lead to severe data loss, as well as compliance violations.
This particular flaw was deemed to be especially critical, since anyone with a web browser could potentially exploit it to access sensitive data in the form of purchase orders, invoices and even design documents.
The e-Business suite seems to be the product most affected by the recent critical patch update, as more than 120 vulnerabilities were attributed to the software.
Another critical issue took place within the Solaris CDE Calendar component.
It was tracked as CVE-2017-3632 and looked to be a flaw in remote privilege escalation. Vulnerabilities such as this could easily be abused to enable DDoS attacks.
The recent update also went after bugs in Java SE. Out of the ten security flaws, nine of them were given a CVSS rating of 9.6.
According to the organization, nearly 28 of the targeted 32 Java flaws can be exploited remotely without the need for authentication. In Oracle MySQL, nine of them could be abused in the same way.
Experts, however, are more worried about the 30 odd vulnerabilities found in PeopleSoft. More than 20 of them could be subject to exploitation, as user credentials wouldn’t be required.
PeopleSoft helps various companies all over the world manage several databases in regards to human resources, supply chains, customer relationships, and other such uses.
The fact that 30 potentially critical vulnerabilities have been found in such a widely used program is indeed a cause for concern.
However, such worries may get squashed if the recent patch is successful in solving the various security issues.