Oracle is recommending customers apply its July security update, which fixes 308 bugs across a broad array of its products.
The July patch is the largest critical patch update Oracle has ever released, fixing nine more bugs than its monster April update, which plugged the Shadowbrokers' Solaris bug 'EXTREMEPARR' and the Apache Struts flaw which was already under attack.
There are updates available for Oracle Database Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Industry Applications (Communications, Retail, and Hospitality), Oracle Primavera, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
The largest number of updates this quarter are for Oracle's Hospitality Applications, which has 48 fixes, 11 of which are remotely exploitable without credentials. The most severe issues fixed are for MICROS PC Workstation 2015 and the MICROS Workstation 650, though Oracle notes systems running the version of Intel's Management Engine (ME) firmware released in May to fix the critical Active Management Technology (AMT) bug are not vulnerable. AMT runs on ME.
The product group with the most number of remotely exploitable flaws was Oracle Fusion Middleware. Of total 44 fixes, 31 address potentially remotely exploitable flaws that don't require user credentials. The highest severity issue in this family is a bug in Oracle WebLogic Server, which is remotely exploitable and simple to attack.
Java SE has a lot of high severity bugs too. According to Oracle, 28 of 32 new fixes for Java SE address flaws may be remotely exploitable.
Oracle's E-Business Suite has 22 fixes, 18 of which may be remotely exploitable without authentication. And there are 30 fixes for PeopleSoft products, of which two-thirds again may be remotely exploitable without needing credentials. Four of 20 fixes for Oracle's Financial Services products are also remotely exploitable.