Oracle issues a massive update containing 136 fixes with the company's quarterly Critical Patch Update, but the biggest news is the company shifting away from using Common Vulnerability Scoring System (CVSS) version 2.0 to version 3.0.
The update covers a variety of Oracle products including, Oracle Database Server, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
However, that patches are not what attracted attention to this update, but that Oracle switched over to using CVSS version 3.0/ A move that received a thumbs up from the industry with executives saying it will make future scoring more accurate.
“First of all, I'm glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0. For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system," Alexander Polyakov, chief technology officer (CTO) at ERPScan told SCMagazine in an email Wednesday. "Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved.”
Oracle MySQL grabbed the award from having the most issues to fix with 31, although only four could lead to remote code execution. However, of the 22 issues fixed with Oracle Fusion Middleware, not only did seven receive the highest CVSS v. 2.0 rating of 10, 21 could be exploited remotely and without authorization.
Oracle Java SE had nine vulnerabilities, all of which could be exploited remotely with several scoring 9.0 or higher on the CVSS 2.0 scale. These updates closely follow an out of cycle update issued by Oracle in late March that addressed other serious issues with Java SE.
Oracle Sun Systems Products Suite had the next highest number of issues with 18 fixes rolled out, 12 if left unpatched could lead to remove code execution, and Oracle People Soft products was right behind with 15 vulnerabilities, but only two of them could have allowed remote code execution. Oracle Database Server had five security fixes with two vulnerabilities being remotely exploitable without authentication.
