In its quarterly security update, Oracle has released 113 patches for vulnerabilities across hundreds of its products.
On Tuesday, the company published an advisory for its July Critical Patch Update (CPU), detailing software with the most severe rankings according to its Common Vulnerability Scoring System (CVSS). Oracle's popular browser plug-in Java received 20 patches, all for vulnerabilities that could be remotely exploited by an attacker without a username and password.
One or more of the Java bugs received a CVSS base score of 10, the most critical ranking. Among the numerous Oracle products and software components addressed in the udpate – including Oracle Fusion Middleware, Oracle MySQL Server, Oracle Database 11 and 12, and Oracle E-Business Suite – Java was the only impacted with security issues scoring a 10.
Still, vulnerabilities in Oracle Database Server, which impacted the product's network layer, relational database management system (RDBM) core, and XML parser components, received a CVSS base score of 9, the company revealed. The quarterly update contained only five patches for bugs in Oracle Database Server.
In prepared emailed comments on the July CPU, Ross Barrett, senior manager of security engineering at Rapid7, told SCMagazine.com that the Oracle Database issues would take priority for enterprises database administrators, while fixes for Java would be the top patching concern for “almost all home and enterprise end-users.”
“Recent improvements to the control of when the browser may run Java plug-ins have somewhat mitigated the risk for those users who have been keeping their JRE up to date and actually pay attention to the warnings and controls,” Barrett wrote. “That said, this is still going to be a major risk and we will have to monitor for co-publication of exploit code from various disclosure systems.”