Oracle Corporation released its quarterly Critical Patch Update (CPU) on Tuesday, announcing fixes for 270 vulnerabilities.
The Redwood Shores, Calif.-based technology giant resolved flaws in a variety of product families including Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE and Oracle MySQL.
Sixteen of the fixed vulnerabilities were listed as critical based on assessments using the Common Vulnerability Scoring System (CVSS), according to an analysis by ERPScan. One of them, a vulnerability in the Primavera P6 Enterprise Project Portfolio Management software, was assigned the maximum score of 10.0. Officially designated CVE-2017-3324, this flaw can be exploited by unauthenticated attackers with network access via HTTP in order to create, delete, modify or access data or cause a partial denial of service.
A total of 31 flaws scored as “high risk” in all three of CVSS' impact metrics – confidentiality, integrity and availability.
Oracle's CPU contains 121 new security fixes for the Oracle E-Business Suite alone – 118 of which may be remotely exploitable without authentication. “The focus has shifted from Database and Java SE to critical business applications...” reads the ERPScan blog post.
"This CPU is special because the number of vulnerabilities fixed sets a new record for the amount of vulnerabilities fixed in a single CPU for Business Critical Applications," states a blog post by Matias Mevied, Oracle security specialist at ERP and business application security company Onapsis. (It is not, however, the most vulnerabilities ever reported by Oracle in one update.)
"With the growing amount of researchers reporting security weaknesses to Oracle, it is a great sign of the company's flexibility and willingness to work with these teams to solve as many vulnerabilities as they do."