View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Oracle Users, Brace Yourselves for a Mammoth Patching Session

273 vulnerabilities are remotely exploitable without authentication...

By CBR Staff Writer

Oracle users, brace yourselves: an eye-watering 405 new security vulnerabilities need patching, with the avalanche of software updates arriving later today (April 14, 2020).

Over half of them, or a total of 273, are potentially remotely exploitable without authentication, Oracle warned – suggesting some major patching sessions ahead.

The release is part of the company’s quarterly set of security advisories, with initial details provided by the company so customers can assess whether they are impacted.

Among them, a chunky 34 new security patches for Oracle’s suite of financial services applications, 16 of could be abused over a network without requiring user credentials.

In a sign of how serious some of the financial services application vulnerabilities are likely to be, they include one with a CVSS score of a critical 9.8, suggesting both high impact and easy exploitability. More details are to follow from Oracle late today.

(CVSS, or the Common Vulnerability Scoring System is an open industry standard to assess the severity of computer system security vulnerabilities).

Oracle Security Patches

Among the ones to look out for:

Content from our partners
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape
Green for go: Transforming trade in the UK

A chunky 74 new security patches for the Oracle E-Business Suite, the vast majority of which (71) are potentially remotely exploitable without authentication.

Further, two remotely exploitable bugs in Oracle Support Tools with a highly critical CVSS score of 9.8. (Oracle provides hundreds of tools to automate and or optimise manual support processes/conduct diagnostics. Details on precisely which is effected will, again, be revealed when the patches land late April 14).

Also standing out: 45 new security patches for Oracle’s widely deployed MySQL database; nine of which are potentially remotely exploitable without authentication.

The worst, again, has a critical CVSS score of 9.8.

Affected:

  • MySQL Client, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.18 and prior
  • MySQL Cluster, versions 7.3.28 and prior, 7.4.27 and prior, 7.5.17 and prior, 7.6.13 and prior, 8.0.19 and prior
  • MySQL Connectors, versions 5.1.48 and prior, 8.0.19 and prior
  • MySQL Enterprise Monitor, versions 4.0.11.5331 and prior, 8.0.18.1217 and prior
  • MySQL Server, versions 5.6.47 and prior, 5.7.29 and prior, 8.0.19 and prior
  • MySQL Workbench, versions 8.0.19 and prior

With 56 new security patches for Oracle Fusion Middleware, 49 of which are again able to be abused by a bad actor over a network without authentication, ditto for 35 vulns in Oracle Communications Applications (spanning Services Gatekeeper, WebRTC Session Controller and more) sysadmins/IT teams look set for a busy Tuesday evening.

Computer Business Review will bring you more details when the full set of bug fixes lands. Here’s the full overview meanwhile for a quick assessment.

See also: Software Patch Management: Tips, Tricks and Stern Warnings

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU