Oracle Issues Its Largest Patch Update Ever

Some patch updates are larger than others, a lot larger. Such is the case with Oracle’s July Critical Patch Update, which tackles a whopping 276 vulnerabilities across multiple Oracle software products.

Oracle has had a quarterly patch cycle for its software portfolio since 2004, and as new companies have been acquired, including Sun Microsystems in 2010, the list of software has expanded. Yet during the 12 years of Oracle software updates, there have never been as many vulnerabilities patched as there are now in the July 2016 update.

In April 2006, Oracle’s CPU patched a meager 36 vulnerabilities, while the most recent patch update in April 2016 fixed 136 flaws.

Huge Oracle patch

“276 is quite high, and as a matter of fact is the highest number of vulnerabilities Oracle has fixed in a single update,” Amol Sarwate, director of engineering at Qualys, told eWEEK. The average for last year was about 161 and for 2014 was about 128 fixes.”

So far in 2016, the patched vulnerability count has gone up significantly, with 248 in January and 276 in July, Sarwate said.

Not all of the vulnerabilities that Oracle patched are equally severe, and the most serious are typically those identified as being remotely exploitable without authentication. For the July update, 159 vulnerabilities can be exploited remotely by a potential attacker, without the use of a username or password.

Regarding specific software applications that are being patched, Oracle’s Fusion middleware tops the list with the most issues, at 40 vulnerabilities, 35 of which are remotely exploitable without authentication.

Software from Oracle’s Sun Systems portfolio is being patched for 34 different vulnerabilities, 21 of which are remotely exploitable without authentication.

MySQL and Java

Oracle breaks out Java and MySQL database software, which it acquired from Sun, in separate categories. For July, there are 13 new vulnerabilities in Java including nine that can be exploited remotely by an attacker without a username or password.

Oracle has invested in improving Java over the last few years; back in 2014, Cisco identified Java as the primary cause of 91 percent of all attacks. In 2015, improvements Oracle made to Java significantly reduced the risks. In December 2015, Oracle settled with the U.S. Federal Trade Commission over charges related to Java software updates and security.

The MySQL database server, in contrast to Java, has only three issues that are remotely exploitable without authentication, out of a total of 22 security vulnerabilities. Oracle’s namesake database is also being patched, but only five of the nine vulnerabilities that are patched can be remotely exploited by an attacker without authentication.

“Most components affected in today’s update were the usual suspect, so no surprise there,” Sarwate said. “In my opinion, the massive size of the update itself was a surprise, and going forward, I think 200-plus vulnerability fixes is going to be the norm.”]

Originally published on eWeek

Quiz: What do you know about Oracle?

Sean Michael Kerner

Sean Michael Kerner is a senior editor at eWeek and contributor to TechWeek

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

3 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago