Yesterday, Oracle released its quarterly critical patch update (CPU) for Q3 2018, the October edition, during which the company fixed 301 vulnerabilities.
Of the 301 flaws, 45 had a severity rating of 9.8 (on a scale of 10) and one even received the maximum 10 rating.
Vulnerabilities that receive this severity ratings this high can be exploited remotely, with no authentication, and the exploit chain is accessible even to low-skilled attackers, even to those with no in-depth technical knowledge.
Oracle's security team will publish more information about each vulnerability in the coming days. This will give companies more time to update affected applications before details about each flaw are generally available to everyone, including the bad guys.
For now, little information is known, but the vulnerability that received the 10.0 rating impacts Oracle GoldenGate, a data replication framework that can work with large quantities of information in real-time.
This issue doesn't impact standalone GoldenGate installations, but also the numerous other Oracle product setups where GoldenGate can be deployed as an add-in option, such as the Oracle Database Server, DB2, MySQL, Sybase, Terradata, and others.
As for vulnerabilities rated 9.8 on the severity scale, these were reported affecting products such as the Oracle Database Server, Oracle Communications, the Oracle Construction and Engineering Suite, the Oracle Enterprise Manager Products Suite, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle JD Edwards, MySQL, Oracle Retail, the Oracle Siebel CRM, and the Oracle Sun Systems Products Suite.
Despite the staggering number of patched flaws --301--, this isn't Oracle's biggest recorded CPU. That title goes to July 2018's CPU, which addressed 334 vulnerabilities, 55 of which had a 9.8 severity rating.
This was also Oracle's last CPU for 2018. According to the folks at ERPScan, in 2018, Oracle patched 1119 vulnerabilities, the same number of flaws it patched last year in 2017.
- A mysterious grey-hat is patching people's outdated MikroTik routers
- IETF approves new internet standards to secure authentication tokens
- Hackers breach web hosting provider for the second time in the past year
- Apple to host 2,000 free coding lessons at European stores CNET
- Why Kotlin is exploding in popularity among young developers TechRepublic
- Web hosting providers take three days, on average, to respond to abuse reports
- After two decades of PHP, sites still expose sensitive details via debug mode
- Google to no longer allow Chrome extensions that use obfuscated code