Oracle Warns Users Of Critical Security Flaws

Oracle has fixed nearly 300 bugs, many of them high-risk, across its range of products, urging administrators to apply the patches quickly due to the risk of active exploitation.

The 297 patches were issued by Oracle this week in its quarterly Critical Patch Update, following a January 2019 update that fixed 284 issues and a October 2018 release that addressed 301 vulnerabilities.

The company said users’ systems are often left vulnerable to issues that have already been fixed due to delays in applying patches.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the firm said.  “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”

Remote exploitation

Oracle’s Fusion Middleware products had 53 issues addressed, with 42 being bugs that could be exploited remotely over a network without authentication.

The update applied 35 patches to the Oracle E-Business Suite, with 33 being remotely exploitable, while Oracle Communications Applications was affected by 26 bugs, 19 of which could be exploited remotely.

Oracle’s retail applications had 24 issues fixed, with Oracle Database Server being affected by six, and Java SE affected by five.

Oracle MySQL alone was affected by 45 security flaws, four being remotely exploitable without authentication.

Attack threat

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said.

Details on some of the issues have already been made public, with Google’s Project Zero, for instance, having published proof-of-concept exploit code for two of the five Java SE flaws, tracked as CVE-2019-2697 and CVE-2019-2698.

Microsoft’s vulnerability research team and others also contributed to the 106 flaws reported to Oracle by third-party researchers.

The next two quarterly updates are scheduled for 16 July and 15 October.

Oracle has promoted its cloud-based applications to users as, in part, being more secure due to the automatic application of patches each quarter, saying last year patches were installed “much sooner than most manually operated databases”.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago