Oracle's monster security update: 270 fixes and over 100 remotely exploitable flaws

Oracle urges customers to apply patches immediately to prevent at least 100 remotely exploitable flaws present in its products being exploited.
Written by Liam Tung, Contributing Writer

Overall, 16 of the 17 Java flaws Oracle has patched are remotely exploitable without needing user logins, while five of the 27 MySQL flaws are remotely exploitable.

Image: James Martin/CNET

Oracle has released its first quarterly critical patch update of the year, urging customers to immediately apply the bundle's 270 fixes to a number of its products.

Product families fixed in this update include Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

Oracle's updates are typically large but the 270 fixes in this advisory are just short of Oracle's record critical update last July, which contained 276 fixes.

As with previous updates, Oracle is urging customers to apply the updates "without delay" as "it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches".

Security firm Qualys notes that over 100 of the flaws fixed in this update can be used by a remote attacker without requiring credentials.

Patches for Oracle's FLEXCUBE financial applications make up 20 percent of this update, with a large share of fixes available for Oracle Applications, Fusion Middleware, MySQL, and Java, as well a significant number of fixes for Oracle retail applications, and PeopleSoft.

Overall, 16 of the 17 Java flaws are remotely exploitable without needing user logins, while five of the 27 MySQL flaws are remotely exploitable.

Qualys' analysis of several popular databases shows that MySQL has seen the largest number of vulnerabilities by CVE tags over the past five years. The cloud security firm reports a 30 percent uptick in those vulnerabilities between 2015 and 2016.

Among the fixes are eight patches for Oracle's retail applications, including one for MICROS, its POS systems. Oracle notes that a bug in the MICROS Lucas system is one of two that is remotely exploitable over the web and doesn't require authentication. The other remote issue affects the Oracle Retail Order Broker.

POS systems have emerged as a prime target for malware designed to nab credit cards from retailer and hotel chains.

MICROS came into focus last year after Krebs on Security reported a serious breach of Oracle's MICROS support portal, which is used by its retail customers. The portal was said to have been seen communicating with a server controlled by the Russian Carbanak, a notorious cybercrime gang.

Read more about Oracle

Editorial standards