Oracle security warning: Customers told to patch ASAP to swat 297 bugs

Update addresses multiple flaws that can be remotely exploited without user credentials.
Written by Liam Tung, Contributing Writer

Oracle is urging customers to install its April critical patch update to protect themselves against attackers who are targeting firms that are slow to patch fixed exploits.

The April critical patch update includes fixes for 297 security flaws affecting Oracle's Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft, and Siebel CRM.

There are also security fixes for the company's industry applications, Java SE, Oracle Virtualization, Oracle MySQL, and Sun Systems products.

This update is slightly bigger than the January critical patch update, which addressed 284 flaws across Oracle's massive portfolio.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Oracle is advising customers to "apply Critical Patch Update fixes without delay", warning there is evidence that hackers are specifically targeting fixed exploits in the hope firms won't have got around to patching them.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," Oracle's security advisory notes.

In this latest update there are five critical flaws affecting JavaSE and all of them "may be remotely exploitable without authentication", according to Oracle.  

The highest severity JavaSE flaw is tracked as CVE-2019-2699 and affects Java SE: 8u202. It affects Java deployments, such as clients running sandboxed in Java Web Start apps or sandboxed Java applets that run code from the internet. Oracle notes the flaw can be exploited through a web service that supplies data to the APIs.

There are also fixes for 53 flaws affecting Oracle Fusion Middleware, of which 42 can be exploited remotely without requiring user credentials. Twelve of the bugs have a severity rating of 9.8 out of a possible 10.
Patches for the Oracle E-business suite address 35 flaws, of which 33 can be remotely exploited without requiring user credentials, while the patches for Oracle Communications applications address 26 flaws, of which 19 can be exploited remotely, no passwords needed.

Oracle MySQL received fixes for 45 new security flaws. Four of them may be remotely exploitable without authentication.

Among the April 2019 patch update, 106 of the bugs were reported to Oracle by external researchers. Mateusz Jurczyk of Google Project Zero reported two of the five Java SE vulnerabilities, which are tracked as CVE-2019-2697, CVE-2019-2698.

SEE: Tech budgets 2019: A CXO's guide (ZDNet special report) | Download the report as a PDF (TechRepublic)

Project Zero has now published proof-of-concept exploit code for the two Java SE flaws, which were found while fuzz testing the software. Jurczyk notes they were both heap corruption flaws affecting the Oracle Java Runtime Environment in version 8u202.  

Microsoft's Vulnerability Research team meanwhile reported CVE-2019-2696, a locally exploitable flaw in Oracle VM VirtualBox, which was one of 15 flaws affecting Oracle virtualization products.   

As noted this month by Oracle chief security officer Mary Ann Davidson, Oracle's own ethical hacking team (EHT) also hunts for bugs in its software using, among other things, a fuzzing tool called "SQL*Splat", which fuzzes SQL code.

"The EHT's job is to attempt to break our products and services before "real" bad guys do, and in particular to capture "larger lessons learned" from the results of the EHT's work, so we can share those observations (e.g. via a new coding standard or an automated tool) across multiple teams in development," explained Davidson.

Oracle's next two critical patch updates are scheduled for 16 July and 15 October. 


Editorial standards