Qualys Blog

www.qualys.com
amolsarwate

Oracle July 2016 Critical Patch Update

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

COMPONENT No. of VULNERABILITIES
Fusion Middleware 39
Sun Systems 34
Supply Chain 27
E-Business Suite 23
MySQL 22
Siebel CRM 16
Communications 16
Retail 16
Oracle Primavera 15
Java SE 13
Database Server 9
Enterprise Manager Grid Control 9
Insurance 8
PeopleSoft 7
Health Sciences 5
Financial Services 4
Policy Automation 4
Linux and Virtualization 4
Utilities 3
Hyperion 1
JD Edwards 1

 

On top of our list are patches for Java SE which fix 13 security issues out of which 9 can be compromised remotely over the network. This is on top because Java is used in a broad range of applications.

For database patching teams, on top of the list is MySQL with 22 fixed issues and Oracle database server with 9 fixed issues. Typically databases are not exposed directly to the internet but as they hold the crown jewels of any organization we recommend patching immediately.

For web servers, on top of the list are components that could be accessible externally over the network like Oracle HTTP Server, WebLogic Server, GlassFish Server. These typically are included in the Fusion Middleware and 35 of the total 39 vulnerabilities are exploitable remotely without authentication. There are also other components like Enterprise Manager Grid Control, E-Business Suite and Supply Chain Products where web servers from the respective components are affected and HTTP is the main attack vector.

For operating system and networking gear, focus on Solaris and Linux as well as patches for Sun Blade and switches. These are included in the Oracle Sun Systems Products Suite and out of the 34 vulnerability 21 can be exploited without authentication.

There are also patches for PeopleSoft, Siebel CRM and JD Edwards. In addition, depending on your vertical you could also be affected by patches for applications that are target for your sector like Financial Services, Health Services, Insurance, Utilities, Retail and others. Most of the vulnerabilities in this category also target web servers and HTTP is the main attack vector protocol.

 

 

Leave a Reply