Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.
Oracle released another massive patch update today which fixed 253 security flaws across hundreds of Oracle products. This year we have seen the updates getting bigger as compared to an average of 161 vulnerabilities 2015 and 128 vulnerabilities in 2014. Many components fixed in today’s release are remotely exploitable. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories. Other than the exception of Java there are no consumer products and administrators should focus on their individual patching domains.
Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.
Oracle has published their Critical Patch Update (CPU) for January 2016. The Oracle CPU is quarterly and addresses the flaws in large Oracle’s product line, including their core product the relational database, but also in a large number of acquisitions like Solaris, MySQL, Java and many of the end-user products, such as JDEdwards ERP, Peoplesoft and CRM.
Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.
Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.
Update: Adobe will release a new version of its Reader and Acrobat products on Tuesday as well. The new versions will address critical issues on both Windows and Mac OS X.
Original: 2014’s first Patch Tuesday is coming up next week and it will be a full plate for IT administrators even though we are looking at only four bulletins from Microsoft. Oracle will simultaneously release its Critical Patch Update, and these quarterly releases typically address over 100 vulnerabilities in their large software line. For example, 127 were addressed in October of 2013. Analyzing the applicability of these flaws to one’s software infrastructure and addressing them are a major concern for any organization that uses Oracle products.
Oracle released today its Critical Patch Update (CPU) for July 2013. The CPU is Oracle’s quarterly mechanism to publish updates for all of its supported products, with the exception of Java. Java is on a different update cycle of every four months, but it will be migrated to the same schedule beginning in October of 2013.
This month’s CPU contains 89 updates touching most of Oracle’s product groups. A large percentage (>40%) of the vulnerabilities addressed allow for remote unauthenticated access for the attacker and should be priority, particularly on applications that are exposed to the Internet.
Today Oracle released its June 2013 Java SE Critical Patch Update (CPU) which fixed 40 new security issues. All vulnerabilities except three can be exploited remotely by an attacker, and in most cases, the attacker can take complete control of the system. An attacker can achieve this by using a variety of drive-by techniques letting a Java applet run arbitrary code outside of the Java sandbox. Todays CPU affects JDK and JRE versions 5, 6 and 7. We highly recommend applying these patches as soon as possible.