Oracle critical update fixes 254 flaws - so get patching now
Oracle has published its critical patch update for April, offering 254 security fixes across 20 product sets.
The database giant said customers should install the update as soon as possible, as attackers continue to attempt to exploit patched vulnerabilities.
"In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," it said.
See: Cyberwar: A guide to the frightening future of online conflict
Eric Maurice, Oracle's director of security assurance, said about one third of the security fixes provided are for non-Oracle Common Vulnerabilities and Exposures (CVEs), that is security fixes for third-party software components that are included in Oracle products.
Oracle's January critical patch update provided patches for the Spectre and Meltdown processor vulnerabilities, and the April update includes one further Spectre update (for CVE-2017-5753) for the Solaris OS kernel.
The April critical patch update also contains:
- Two new security fixes for the Oracle Database Server, including one new security fix for Oracle GoldenGate for a vulnerability that is remotely exploitable without authentication
- Nine new security fixes for Oracle Communications Applications; six of these vulnerabilities may be remotely exploitable without authentication
- Four new security fixes for the Oracle Construction and Engineering Suite, two which may be remotely exploitable
- 12 new security fixes for the Oracle E-Business Suite: 11 of these vulnerabilities may be remotely exploitable without authentication
- 10 new security fixes for the Oracle Enterprise Manager Products Suite; eight of these vulnerabilities may be remotely exploitable without authentication
- 36 new security fixes for Oracle Financial Services Applications - 18 of these vulnerabilities may be remotely exploitable without authentication
- 39 new security fixes for Oracle Fusion Middleware, 30 of which may be remotely exploitable
- 13 new security fixes for Oracle Hospitality Applications; four may be remotely exploitable without authentication
- 14 new security fixes for Oracle Java SE: 12 of these vulnerabilities may be remotely exploitable without authentication
- Three new security fixes for Oracle JD Edwards Products - all three may be remotely exploitable without authentication
- 33 new security fixes for Oracle MySQL, two potentially remotely exploitable without authentication
- 12 new security fixes for Oracle PeopleSoft Products: eight of these vulnerabilities may be remotely exploitable without authentication
- 31 new security fixes for Oracle Retail Applications - 27 which may be remotely exploitable without authentication
- Two new security fixes for Oracle Siebel CRM - one remotely exploitable.
- 14 new security fixes for the Oracle Sun Systems Products Suite, three remotely exploitable without authentication
- Five new security fixes for the Oracle Supply Chain Products Suite, three remotely exploitable without authentication
- One new security fix for Oracle Support Tools - not remotely exploitable without authentication
- One new security fix for Oracle Utilities Applications. This vulnerability is remotely exploitable without authentication
- 13 new security fixes for Oracle Virtualization, three remotely exploitable without authentication
Oracle's critical patch updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are 17 July 2018, 16 October 2018, 15 January 2019 and 16 April 2019.
More on Oracle