Oracle security update patches record 276 vulnerabilities

A number of the bugs are critical issues which can lead to the remote exploit of code.
Written by Charlie Osborne, Contributing Writer
(Image: file photo)

Oracle's latest patch update was released on Tuesday, containing a record 276 fixes for vulnerabilities across an array of Oracle software.

According to the tech giant's security advisory, the July Critical Patch Update (CPU) includes security fixes for 84 products in total, including Fusion Middleware, MySQL, Java and Enterprise Manager software.

As noted by Qualys, in 2015 Oracle fixed an average of roughly 161 vulnerabilities per update, and in 2014, the average was 128 fixes.

What makes things worse is that out of the 276 vulnerabilities in the July update, 159 can be exploited remotely without authentication, most often over a vulnerable network and without any requirement for user credentials. In total, 19 of these security issues have been assigned CVSS scores of 9.8 -- and considering the top danger rating is 10, it cannot get much worse. In addition, many of the flaws have a score of 9 or above.

Oracle patched a total of 39 security flaws in Fusion Middleware. This web server software, including Oracle HTTP Server, WebLogic Server and GlassFish, contained a disproportionately high amount of critical issues. Out of 39 flaws, 35 were exploitable remotely without authentication, potentially placing business data and networks at serious risk.

In addition, operating system and networking hardware, including the Oracle Sun Systems suite, contained 21 vulnerabilities -- out of 34 -- which can grant attackers the chance to execute code remotely.

Oracle has also patched 22 problems with MySQL, 23 E-Business Suite vulnerabilities, and 9 Database Server problems.

While Java SE is often at the top of the list when it comes to critical security problems, in this security update, there were only 13 vulnerabilities to patch -- but 4 were deemed severe enough to be awarded a score of 9.6 on the CVSS rating system.

In April, Oracle's patch update included 136 fixes for vulnerabilities affecting software including Oracle Database Server, Java, MySQL and Solaris -- as well as one security problem dating back to 2011.

The next Oracle CPU is due on 18 October 2016.

Editorial standards