Oracle pushes a critical patch update for multiple security vulnerabilities which are usually cummulative but also affects so many other components. Oracle is working on Critical Patch Update since year 2014 and till date, they’ve released 18 other critical patch updates.
For this quarter, oracle also recognizes more than 30 security researchers for bug reporting along with more than 80 CVE IDs has been assigned for various zero day vulnerabilities including Spectre and Meltdown who created an havoc last year. Essentially, Zero day vulnerabilities are flaws in a software that no one knows about – meaning no one has developed a way to stop hackers and malware from taking advantage of them. Knowing about one of these vulnerabilities makes it easier to break in – it’s as if someone left their door unlocked.
It is also essential to review the Critical Patch Update supporting documentation referenced in this Advisory before applying patches, as this is where you can find important pertinent information.
The next four dates for Critical Patch Updates are as follow:
- 16 October 2018
- 15 January 2019
- 16 April 2019
- 16 July 2019
Oracle’s Financial Services Applications received the most patches which is of around 56 and for MySQL database, it is near to 31.
According to ERPSCAN Report, around 60-65% attacks can be exploited remotely without any credentials and approximately 17 critical vulnerabilities has been discovered and reported by ERPScan researchers which includes Cross Site Scripting in JDE URLBuilderService, JDE GraphPrototype maflet, JDE MMDGView maflet, JDE TEDocWindow maflet ,SQL Injection in Oracle Business Process Management, SSI (Server Side Injection) in PSIGW Module and Remote Code Execution in Oracle MapViewer.
Number of Vulnerabilities by Product –
|Product Family||Number of Patches|
|Financial Services Applications||56|
|Sun Systems Products Suite||22|
|Enterprise Manager Products Suite||16|
|Construction and Engineering Suite||11|
|JD Ewards Products||10|
|Supply Chain Products Suite||8|
Let’s try a metaphor. Pretend you bought a security system for your house, because you need to protect an extremely valuable diamond.
Two years after the system is set up, the company that installed it for you notices a flaw: criminals who clap three times while bouncing on one leg cannot be detected. If the company that installed your security system offered to fix this vulnerability, free of charge, would you let them?
Of course you would. Think of patches the same way.
Oracle strongly recommends applying the patches as soon as possible.
If you want to report something to oracle being as a good security researcher, then you can also report it to firstname.lastname@example.org. Oracle always values the members of the independent security researchers who find and report security vulnerabilities and work with Oracle so that security fixes can be issued to all customers.