Oracle whips out the swatter, squishes 254 security bugs in its gear
Java fixes lobbed out, Spectre Solaris patches issued
Oracle this week emitted its April security update, addressing a total of 254 security vulnerabilities across dozens of products.
Among the more noteworthy patches is a fix for lingering Spectre-related vulnerabilities in Solaris systems – specifically, CVE-2017-5753, also known as Spectre variant 1. Oracle had mitigated most of the Spectre/Meltdown processor design bugs in its products back in January. This update applies further fixes for Solaris versions 10 and 11.3.
Java was on the receiving end of patches for 14 CVE-listed vulnerabilities, including 12 that are remotely exploitable without user notification. Three of the flaws, CVE-2018-2825, CVE-2018-2826, and CVE-2018-2814 would allow either Applet or Java Web Start apps to either crash or take over Java SE.
Flash! Ah-ahhh! WebEx pwned for all of us!READ MORE
Fusion Middleware got fixes for 39 bugs, including 30 that can be exploited remotely. These include CVE-2017-5645, a particularly nasty remote takeover flaw in several Fusion Middleware applications that can be exploited over an HTTP connection.
For Oracle's MySQL, the update will see 33 patches for various flaws, two (CVE-2018-2761, CVE-2017-3737) of which are remotely exploitable. Oracle Database, meanwhile, will only need two patches: one for a JavaVM bug (CVE-2018-2841), and one for Oracle GoldenGate (CVE-2018-2832).
E-Business Suite will get 12 fixes, 11 for CVE-listed vulnerabilities that can be remotely exploited. Two of those, CVE-2018-2870 and CVE-2018-2871, are particularly nasty bugs that allow for what Oracle describes as "unauthorized creation, deletion or modification access to critical data or all Oracle Human Resources accessible data as well as unauthorized access to critical data or complete access to all Oracle Human Resources accessible data."
Oracle Financial Services Applications will get 36 vulnerabilities patched, 18 of those being remotely exploitable flaws. Peoplesoft received 12 fixes, including 8 that can be remotely exploited.
The enterprise software giant is advising admins to check their products for the patches and, if needed, test and install them as soon as possible. ®
PS: Speaking of Oracle and Java, commercial users of Java SE 8 will no longer receive public updates for the software after January 2019 unless they get a commercial license. "Public updates for Oracle Java SE 8 will remain available for individual, personal use through at least the end of 2020," Oracle added. The support roadmap for Java SE is here if you want to check where you're at with updates.
Sponsored: Becoming a Pragmatic Security Leader