Oracle’s first quarterly critical dose of patches has been released. Customers are compelled to apply all of the 270 fixes to the corresponding products.
Oracle Has Issued 270 Fixes
The vast update includes products like Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL. The big number should not scare you – last July the critical bunch contained 276 fixes. All customers should consider applying the updates immediately, “without delay”. It’s a largely known fact that attacks happen successfully because targets had failed to apply patches on time.
According to security experts at Qualys, more than 100 of the fixed issues in the update could be used in remote attacks, without the need of credentials.
More particularly, the updates for Oracle’s FLEXCUBE financial applications comprise 20 percent of the bunch, alongside updates for Oracle Applications, Fusion Middleware, MySQL, and Java. Other significant updates concern Oracle retail apps and PeopleSoft. 16 out of the 17 Java flaws could be exploited remotely without user credentials. Five of the 27 MySQL bugs are also prone to remote exploitation.
MySQL has the highest number of CVE vulnerabilities for the past five years. There’s a steady growth in those flaws between 2015 and 2016, the company has reported. There are fixes for Oracle’s retail apps, such as one for MICROS, the well-known POS systems. More precisely, a bug in the MICROS Lucas system (one of two) doesn’t require authentication and could be exploited remotely via the Web. The other remote bug concerns Oracle Retail Order Broker.
That’s not that surprising at all as PoS systems have become primary targets for PoS for specifically designed malware attacks aiming at credit cards.