Oracle releases 113 bug fixes in Critical Patch Update

Share this article:
Feedly fixes Android JavaScript code injection flaw, deems it "harmless"
The most critical flaws were in Java and Oracle Database Server.

In its quarterly security update, Oracle has released 113 patches for vulnerabilities across hundreds of its products.

On Tuesday, the company published an advisory for its July Critical Patch Update (CPU), detailing software with the most severe rankings according to its Common Vulnerability Scoring System (CVSS). Oracle's popular browser plug-in Java received 20 patches, all for vulnerabilities that could be remotely exploited by an attacker without a username and password.

One or more of the Java bugs received a CVSS base score of 10, the most critical ranking. Among the numerous Oracle products and software components addressed in the udpate – including Oracle Fusion Middleware, Oracle MySQL Server, Oracle Database 11 and 12, and Oracle E-Business Suite – Java was the only impacted with security issues scoring a 10.

Still, vulnerabilities in Oracle Database Server, which impacted the product's network layer, relational database management system (RDBM) core, and XML parser components, received a CVSS base score of 9, the company revealed. The quarterly update contained only five patches for bugs in Oracle Database Server.

In prepared emailed comments on the July CPU, Ross Barrett, senior manager of security engineering at Rapid7, told that the Oracle Database issues would take priority for enterprises database administrators, while fixes for Java would be the top patching concern for “almost all home and enterprise end-users.”

“Recent improvements to the control of when the browser may run Java plug-ins have somewhat mitigated the risk for those users who have been keeping their JRE up to date and actually pay attention to the warnings and controls,” Barrett wrote. “That said, this is still going to be a major risk and we will have to monitor for co-publication of exploit code from various disclosure systems.”

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.