Qualys Blog

Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.

Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR  has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or “Ebbshave”) was previously addressed by Oracle in several Solaris 10 patch distributions issued since January 26^th 2012 and does not affect Solaris 11.

Out of the 299 total fixes MySQL, Financial Services, Retail and Fusion Middleware take the lion’s share of fixes and the distribution is shown in the chart below. Majority of the vulnerabilities in the Financial Services, Retail and Fusion Middleware could be exploited via the HTTP protocol and attackers can take complete control of the system remotely without the need of any credentials.

Continue reading …

Oracle kicked off the New Year with its first installment of the quarterly CPU (critical patch update) for 2017. The update contains fix for 270 security issues across wide range of products. The graph below shows distribution of the update. More than 100 vulnerabilities that were fixed could be compromised by a remote attacker without requiring any credentials. Most remote vulnerabilities could be exploited over the HTTP protocol.

Continue reading …

Today Oracle released its July critical patch update fixing 276 security issues across hundreds of Oracle products. On average in 2015 Oracle fixed about 161 vulnerabilities per update and the number was 128 in 2014. That makes today’s update the largest and here is a breakdown of the vulnerabilities. Out of the 276 vulnerabilities, 159 can be exploited remotely without authentication, typically over a network without the need of any credentials. The table lists components ordered by the number of issues and description below has details. Since most organizations have different teams to patch databases, networking components, operating systems, applications server and ERP systems, I have broken down the massive update in these categories.

Continue reading …

This week Oracle released their quarterly Critical Patch Update (CPU) for April 2016. The CPU addresses 136 vulnerabilities in 49 products, including Java, Solaris, several middleware products, VirtualBox, the MySQL database and the original Oracle database.

Continue reading …

Oracle published their quarterly critical patch update October 2015 addressing 154 vulnerabilities distributed across 50+ different products. We will give you our read on the update and help with your prioritization.

Continue reading …

Every three months Patch Tuesday has a 2nd edition when Oracle publishes their security updates in their considerable software portfolio.

Continue reading …

In the third patch release of the day, after Adobe and Microsoft, Oracle publishes code fixes for 154 distinct vulnerabilities across a large number of product families. Many of the vulnerabilities addressed are of critical nature, allowing the attacker to achieve remote code execution. Due to the large number of patches a precise inventory will be crucial to be able to decide where to patch first.

Continue reading …

Oracle released its Critical Patch Update (CPU) for July 2014 with 115 patch updates to a variety of Oracle products. The most critical vulnerabilities fixed by these patches would allow an attacker to take control of the machine that the software is running on – workstation or server.

Continue reading …

Oracle just released their announcement of the July Critical Patch Update (CPU). Oracle bundles the security updates for the majority of the products it controls into a quarterly update – something of a Super Tuesday of computer security. This time we are getting 115 fixes for vulnerabilities over 30 different product groups with even more individual software versions affected.

Continue reading …

Oracle released another massive critical patch update (CPU) today which contains 104 new security fixes. Java SE took the lion’s share of fixes followed by Fusion Middleware and MySQL. Only two vulnerabilities were fixed in the flagship Database Server 11g and 12c and both the vulnerabilities need credentials to be exploited remotely.

Continue reading …