Oracle released its latest batch of patches on Tuesday to address 253 security vulnerabilities for 76 products including its database servers, networking elements, operating systems, application servers and enterprise resource planning (ERP) systems.
Fifteen of the fixes in Oracle’s October 2016 critical patch update received a Common Vulnerability Scoring System (CVSS) ranking of 9.0 or over, making them critical. Nearly half of the flaws could be exploited remotely without authentication to compromise affected components.
The software company “strongly recommends” that administrators “apply Critical Patch Update fixes without delay.”
The latest batch include 23 fixes for versions of its e-Business Suite (EBS) that can be hacked over HTTP. The company said 21 of the vulnerabilities “may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.”
The company’s Java application framework was issued 13 updates to address bugs, nine of which can be exploited remotely without authentication.
One critical bug, rated 9.1, affects versions of the “OJVM component of Oracle Database Server.” This “easily exploitable vulnerability” can lead to takeover of OJVM.
Also addressed is an “easily exploitable vulnerability” in the Application Express piece of the Oracle database server that can open the door for attackers with network access via HTTP.
A significant number of flaws, 29, were updated in the Oracle Fusion Middleware, which is used in a number of third-party solutions to manage file formats. Nineteen of these bugs can be exploited remotely without authentication, the company stated, with five of these flaws ranked critical.
Bugs in Oracle’s PeopleSoft products were addressed with 11 security updates, while its JD Edwards products received two and three fixes were issued for Oracle Siebel CRM.
This set of updates is the company’s second largest this year and addresses nearly all its offerings.