334 Security fixes – Oracle issued Critical Patch Update

Oracle pushes a critical patch update for multiple security vulnerabilities which are usually cummulative but also affects so many other components. Oracle is working on Critical Patch Update since year 2014 and till date, they’ve released 18 other critical patch updates.

For this quarter, oracle also recognizes more than 30 security researchers for bug reporting along with more than 80 CVE IDs has been assigned for various zero day vulnerabilities including Spectre and Meltdown who created an havoc last year. Essentially, Zero day vulnerabilities are flaws in a software that no one knows about – meaning no one has developed a way to stop hackers and malware from taking advantage of them. Knowing about one of these vulnerabilities makes it easier to break in – it’s as if someone left their door unlocked.

It is also essential to review the Critical Patch Update supporting documentation referenced in this Advisory before applying patches, as this is where you can find important pertinent information.

The next four dates for Critical Patch Updates are as follow:

  • 16 October 2018
  • 15 January 2019
  • 16 April 2019
  • 16 July 2019

Oracle’s Financial Services Applications received the most patches which is of around 56 and for MySQL database, it is near to 31.

According to ERPSCAN Report, around 60-65% attacks can be exploited remotely without any credentials and approximately 17 critical vulnerabilities has been discovered and reported by ERPScan researchers which includes Cross Site Scripting in JDE URLBuilderService, JDE GraphPrototype maflet, JDE MMDGView maflet, JDE TEDocWindow maflet ,SQL Injection in Oracle Business Process Management, SSI (Server Side Injection) in PSIGW Module and Remote Code Execution in Oracle MapViewer.

https://erpscan.com/press-center/blog/analyzing-oracle-security-oracle-critical-patch-update-july-2018/

Number of Vulnerabilities by Product – 

Product Family Number of Patches
Financial Services Applications 56
Fusion Middleware 44
Retail Applications 31
MySQL 31
Hospitality Applications 24
Sun Systems Products Suite 22
PeopleSoft 15
Enterprise Manager Products Suite 16
E-Business Suite 14
Communications Applications 14
Virtualization 12
Construction and Engineering Suite 11
JD Ewards Products 10
Java SE 8
Supply Chain Products Suite 8
Utilities Applications 4
Database Server 4
Policy Automation 3
Hyperion 2
Insurance Applications 2
Siebel CRM 1
iLearning 1
Support Tools 1

Let’s try a metaphor. Pretend you bought a security system for your house, because you need to protect an extremely valuable diamond.

Two years after the system is set up, the company that installed it for you notices a flaw: criminals who clap three times while bouncing on one leg cannot be detected. If the company that installed your security system offered to fix this vulnerability, free of charge, would you let them?

Of course you would. Think of patches the same way.

Oracle strongly recommends applying the patches as soon as possible.

If you want to report something to oracle being as a good security researcher, then you can also report it to secalert_us@oracle.com. Oracle always values the members of the independent security researchers who find and report security vulnerabilities and work with Oracle so that security fixes can be issued to all customers.

You may also like:

Sarcastic Writer

Step by step hacking tutorials about wireless cracking, kali linux, metasploit, ethical hacking, seo tips and tricks, malware analysis and scanning.

Related Posts