Oracle announced it will be releasing a critical patch on July 17 which will address 334 security vulnerabilities, with the most critical of which having a CVSS 3.0 Base Score of 9.8.
The patch will affect hundreds of products and Oracle and security researchers alike recommend users update their systems as soon as possible to prevent infection.
“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” researchers said in the pre-release announcement. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”
One of the updates will address the Database Server Executive Summary that contains 3 new security fixes for the Oracle Database Server, one of which could be remotely exploited without authentication and affects Core RDBMS, Java VM, and Oracle Spatial.
The updates also will include a new security fix for Oracle Global Lifecycle Management, 14 new security fixes for Oracle Communications Applications, and 11 new security fixes for the Oracle Construction and Engineering Suite.
The Lifecycle Management Risk Matrix is also remotely exploitable without authentication and affects the company’s Global Lifecycle Management OPatchAuto.
The update will also address issues in Oracle E-Business Suite, Enterprise Manager Products Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Hyperion, iLearning , Insurance Applications, Java SE, JD Edwards Products, MySQL , PeopleSoft Products, Policy Automation , Retail Applications, Siebel CRM , Sun Systems Products Suite, Support Tools, Utilities Applications, and Virtualization.
Some researchers fear these vulnerabilities will affect products for years to come and recognize that due to the scope of the update, many users may prolong updating their systems fearing the downtime the updates may cause.
“Because updating Oracle databases [generally] causes business disruption, people are often slow to make necessary updates,” said Allan Liska, threat intelligence researcher at Recorded Future. “We encourage organizations to immediately begin planning for these updates, given the significant risk and low attacker sophistication to find and exploit.”
Liska added that many of the products are deployed on public-facing websites and could mean hundreds of thousands of hosts and organizations that are vulnerable to attack.