Qualys Blog

www.qualys.com
amolsarwate

Oracle October 2016 Critical Patch Update

Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products.  This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.

oracle

On the database front there were 31 vulnerabilities fixed in MySQL as compared to 12 in the Oracle database. Databases are typically not exposed to the internet, but administrators should plan on patching for CVE-2016-6304, CVE-2016-5598 and CVE-2010-5312 as they are remotely exploitable and attackers can use them after compromising another system on the network.

Java received 7 security updated and since all vulnerabilities are remotely exploitable without authentication administrators and consumers should threat them high priority. For Windows, since Java is typically run with administrative privileges, Windows users should especially update as soon as possible.

On the operating system front, 16 vulnerabilities were fixed in Solaris and administrators should pay attention to the IKE, DNS (ZFS Storage appliance) and the HTTP vulnerabilities that can be exploited remotely.

On the middleware webserver front WebLogic, GlassFish, iPlanet and other web services were patched which are categorized under ‘Fusion Middleware’. Most of the vulnerabilities are remotely exploitable using the HTTP protocol and attackers can remotely take complete control of the victim machine without authentication. A total of 19 vulnerabilities could be remotely exploited in this category.

About 60 vulnerabilities were also fixed in Communication applications and Financial applications and are worth noting if you run these applications due to the sheer number of bugs being fixed. Siebel and JD Edwards were also patched.

To conclude, it’s going to be a busy few days for administrators responsible for patching, as updates released today touched almost all Oracle products.

Leave a Reply