Oracle security update patches 136 vulnerabilities

A number of the bugs are critical issues which can lead to remote exploitation.

Oracle's latest patch update was released on Tuesday, containing 136 fixes for vulnerabilities across an array of Oracle software.

screen-shot-2016-04-20-at-09-00-24.jpg

According to the tech giant's security advisory, the April Critical Patch Update (CPU) includes security fixes for 49 products in total, including Oracle Database Server, Java, MySQL and Solaris.

The patch update is the first Oracle has released using Common Vulnerability Scoring Standard (CVSS) 3.0, rather than the old CVSS 2.0 scoring system.

Oracle's security release includes fixes for five issues within the Oracle Database Server, two of which can be remotely exploited without authentication.

In addition, the tech giant patched 22 vulnerabilities in Oracle Fusion Middleware. In total, 21 of these bugs allowed an attacker to remotely exploit a system without authentication, and one received a CVSSv2 score of nine.

Seven of the vulnerabilities fixed in this update were awarded the highest CVSSv2 rating of 10.00, which is the top danger threshold for security flaws.

As noted by enterprise software firm Shavlik, the oldest flaw fixed in this update, CVE-2011-4461, dates back to 2011.

"For those exploited in less than a month 7 out of 7 of the CVSS 10.0 vulnerabilities fit the pattern," Shavlik product manager Chris Goettl says. "Based on that, I would recommend the following priorities be added to your April Patch Tuesday activities. Java SE (4 of 7), MySQL (2 of 7), Sun Systems Products Suite (1 of 7) should be updated in this update cycle."

In March, Oracle released an emergency patch for Java which smoothed over a security flaw which allowed attackers to remotely execute code without the need for user credentials, potentially leading to system hijacking and data theft.

The next Oracle CPU is due on 19 July 2016.

Read on: Top picks