Oracle patched a whooping 276 security flaws, 159 of which can be exploited remotely without authentication, in more than 80 products in its largest patch bundle to date.
The bundle included 40 new security fixes for Oracle Fusion Middleware, 34 new security fixes for the Oracle Sun Systems Products Suite, 25 new security fixes for the Oracle Supply Chain, 22 new security fixes for Oracle MySQL, and 13 new security fixes for Oracle Java SE, according to a July security advisory.
“Customers really do need to apply these Java CPU patches as soon as possible,” Waratek Chief Technology Officer John Matthew Holt told PCWorld due to the widespread use of the software.
Researchers at Cisco Talos spotted 18 of the bugs present in Oracle's OIT platform that were included in the bundle.
These bugs are severe because several third parties use Oracle's OIT to parse and transform files, Cisco researchers said in a July 20 blog post.
Avira AntiVir for Exchange, IBM WebSphere Portal, Google Search Appliance, Guidance Encase, Microsoft Exchange, Novell Groupwise, Raytheon SureView, and Veritas (Symantec) Enterprise Vault are all products that rely on OIT, the Cisco post said.
Cisco researchers didn't confirm that each of these third-party products is affected but did confirm that some are running vulnerable OIT-related code.
“Oracle is known for their massive, complicated critical patch updates,” Tyler Reguly, manager of the Tripwire vulnerability and exposure research team, told SCMagazine.com via emailed comments.
“The name is misnomer as this 'critical patch update' may contain critical patches but not everything contained within it is critical. Instead, it's a security bulletin where every Oracle product is wedged into a single cluttered page.”
Users were encouraged to follow up with their vendors to ensure that patches are available for the bugs.