April 19 may now be known as Oracle Patch Day with the company issuing and record 299 critical security fixes, including several that patch issues that can be exploited by some of the leaked NSA tools.
The vulnerabilities covered all of Oracle product line, but the headline grabber out of the bunch is the fix for Solaris 10 and 11.3 which patches the Shadow Brokers EXTREMEPARR tool vulnerability CVE-2017-3622 and CVE-2017-3623, which also go by the names “Ebbisland” or “Ebbshave, blogged Amol Sarwate, Qualys’ director of engineering. If exploited CVE-2017-3622 could have allowed for local privilege escalation and give an attacker the ability to seize control of an unpatched machine. Sarwate also noted that CVE-2017-3623 was previously addressed by Oracle “in several Solaris 10 patch distributions issued since January 26th 2012 and does not affect Solaris 11.”
Oracle said in the Critical PatchUpdate that it often receives reports of users being victimized by previously patched vulnerabilities, such as CVE-2017-3623, which in many cases took place because the customer did not update their system.
The huge release also contained 25 fixes associated with the Apache Struts vulnerability which if left unpatched leaves a computer running Struts open to being taken over.
“The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail,” Sarwate said, in a blog.