Oracle's latest quarterly security update contains 253 patches for 76 of its enterprise products including databases, operating systems, Java and networking components. Among the security bugs that the update addresses, 15 of them are rated critical, some of which allow for remote exploitation by attackers without authentication in Java Standard Edition (SE) and Oracle's database offerings. Here's what you need to know.
The critical vulnerabilities involve Oracle Java SE, Oracle Big Data Discovery, Oracle Web Services, Oracle WebLogic Server, Oracle Advanced Supply Chain Planning, Oracle Commerce Platform and Oracle Retail Customer Insights.
There are 7 new security fixes for Oracle Java SE, all of them are remotely exploitable without requiring user credentials. Two of them allow for this over multiple protocols.
For Oracle's MySQL server, there are 31 security fixes, two of them address remote exploitation vulnerabilities.
There's a lot to go through in this quarterly update, and if your organisation is using any Oracle offerings, it's advised that you head to the detailed security advisory to see what vulnerabilities affect you.
If you're an IT administrator who is looking for a workaround because you don't want to apply the patches just yet, Oracle is advising against it:
"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."
[Via Oracle Security Advisory]