Oracle drops 248 – count 'em – 248 patches, to fix ... something
Big Red helpfully (?) only reveals the reasons for patches to those with support deals
Oracle has just pushed out its quarterly batch of critical patches, so sysadmins had best get busy.
The bug-splat haul covers a record-setting 248 individual fixes, with the full list here.
The Oracle E-Business Suite gets the biggest serve, with a whopping 78 bugs patched, 68 of which are remotely exploitable without authentication.
As always, there's Java fixes in the mix: eight patches, of which seven are fixing remotely-exploitable no-authentication-needed vulnerabilities. Four are client-only, and four apply to both the client side and the server side.
Java fixes include 2015's png/libpng bug, CVE-2015-8126.
Sun Systems products get 23 fixes, seven of which are remotely exploitable.
There's a small sigh of relief for MySQL Server users, since although the patch-round covers 22 vulnerabilities, only one is remotely exploitable.
The VirtualBox VM vuln turns out to be vulnerable to the same kind of exploit as hit Xen last year, so there's a fix for CVE-2015-7813 (for Xen, it was a denial-of-service caused by firing repeated console login attempts). There are four other fixes in the virty suite, covering both VirtualBox and the Oracle Secure Global Desktop.
Three fixes for Java SE and three for data integration tool GoldenGate score the maximum CVSS rating of 10.0, meaning they are very, very unpleasant bugs indeed that deserve rapid patching.
We'd tell you more, but unlike other vendors (Cisco is a good example of publication), Oracle gives its risk matrices to everyone but keeps the details of individual CVEs (Common Vulnerabilities and Exposures) to users with log-ins to its support portal. Only where it's fallen prey to a widespread bug (like the Xen bug mentioned above) can outsiders see what's being fixed. So we can tell you there's lot of patching to be done, but only Oracle users know if Oracle's messed up badly, or is just tidying up. ®