Oracle's quarterly security release offers 253 patches

Oracle has released its quarterly patch dump, this time offering 253 fixes for 76 products.

Of those, 15 have a Common Vulnerability Scoring System (CVSS) score of 9.0 or over, making them critical. Interestingly, Oracle's short-form announcement of the patch dump includes this warning regarding critical bugs. Italics are Oracle's:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

The verbose patch dump explainer tells us that the worst bugs make it possible to compromise Oracle Big Data Discovery, Oracle Web Services, Oracle Commerce or WebLogic over HTTP.

Of course there's nasty Java vulns, two in fact, that allow “unauthenticated attacker with network access via multiple protocols to compromise Java SE.”

“Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.”

Another critical bug, rated 9.1, hits the “OJVM component of Oracle Database Server” versions 11.2.0.4 and 12.1.0.2. This “Easily exploitable vulnerability allows high privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM.”

Database users, beware: the Application Express component of Oracle database server has “Easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTP to compromise Application Express.”

Those of you persisting with the Sun Ray thin client caper have an 8.2-rated bug to deal with, unless you are up for Sun Ray OS to hang completely and deprive you of virtual desktops.

One of many PeopleSoft problems “can result in unauthorized access to critical data or complete access to all PeopleSoft Enterprise PeopleTools accessible data.”

Another flaw “can result in takeover of JD Edwards EnterpriseOne Tools.”

We could go on but you get the idea: there's a lot of fixes offered, a lot of them are worthy of your attention sooner rather than later. Oh and wow – Oracle sure does have a lot of ways for you to lose data, with opinions about its security capabilities perhaps not helped by the very large number of patches that come with quarterly releases. Or the fact that Oracle allows problems to fester for up to 90 days when other vendors see fit to issue monthly patches. ®