Patch/Configuration Management, Vulnerability Management

Oracle previews final Critical Patch Update of year, 153 security fixes

Oracle puts out four Critical Patch Updates per year and the final one of 2015 – scheduled for release on Oct. 20 – contains 153 security fixes across hundreds of Oracle products, according to a pre-release announcement.

Perhaps the biggest set of patches is coming to Oracle Java SE.

The Critical Patch Update contains 25 security fixes for Oracle Java SE, and 24 of those bugs may be remotely exploitable without authentication, the pre-release announcement said, noting that at least one vulnerability has a CVSS Base Score of 10.0.

Other products that contain at least one vulnerability with a CVSS Base Score of 10.0 are Oracle Database Server, Oracle Communications Applications, Oracle Sun Systems Products Suite, and Oracle Pillar Axiom.

The Critical Patch Update addresses seven bugs in Oracle Database Server, one of which may be remotely exploitable without authentication; nine bugs in Oracle Communications Applications, eight of which may be remotely exploitable without authentication; 15 bugs in Oracle Sun Systems Products Suite, four of which may be remotely exploitable without authentication; and one bug in Oracle Pillar Axiom, which is remotely exploitable without authentication.

Of the 30 security fixes for Oracle MySQL, two are for vulnerabilities that could be remotely exploitable without authentication, and at least one bug has a CVSS Base Score of 9.0, the pre-release announcement said.

The following products contain vulnerabilities with a CVSS Base Score of 7.5 or lower.

The Critical Patch Update addresses 23 bugs in Oracle Fusion Middle Middleware, 16 of which may be remotely exploitable without authentication; five bugs in Oracle Enterprise Manager Grid Control, three of which may be remotely exploitable without authentication; and 12 bugs in Oracle E-Business Suite, six of which may be remotely exploitable without authentication.

Continuing, the Critical Patch Update addresses eight bugs in Oracle Supply Chain Products Suite, three of which may be remotely exploitable without authentication; seven bugs in Oracle PeopleSoft Products, one of which may be remotely exploitable without authentication; and four bugs in Oracle Retail Applications, all of which may be remotely exploitable without authentication.

Additionally, one vulnerability addressed in Oracle Siebel CRM is remotely exploitable without authentication, and one bug addressed in Oracle Industry Applications is remotely exploitable without authentication.

The remaining products contain fixes for vulnerabilities that are not remotely exploitable without authentication – three bugs were addressed in Oracle Virtualization, one bug was addressed in Oracle Database Mobile/Lite Server, and one flaw was addressed in Oracle Hyperion.

“Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products,” the pre-release announcement said. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.