Software

What's big and red and needs 270 security patches?

Oracle software, that's what

By Simon Sharwood

9 SHARE

Oracle has revealed its quarterly Critical Patch Update Advisory for January 2017, which offers users a buffet of 270 fixes to apply.

Big Red says that “due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.”

Where to start? Perhaps with the sole problem that rates a ten on the the Common Vulnerability Scoring Standard (CVSS) that Oracle uses to assess the scariness of bugs.

That bug impacts Oracle's Primavera project management product, which is susceptible to CVE-2017-3324, a remote code execution and/or denial of service bug present in Internet Explorer 9 and 11.

The Register counts three severity 9.8 bugs in Oracle Enterprise Manager Grid Control; a pair in the Fusion Middleware; and one each in Supply Chain Suite, PeopleSoft, Big Data Graph, JD Edwards and Oracle Communications Applications. Several refer to the same bug – CVE-2016-6303 – that NIST says is an “Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.”

Java has 16 bugs, rated from 9.6 to 3.1. That's half the 32 issues deserving of repair in Oracle's E-Business Suite and Fusion Middleware. Not far behind, with 27 patches apiece, you'll find MySQL's and Big Red's Flexcube banking code.

Plenty of the bugs aren't Oracle's fault: like most sensible software houses Big Red uses open source code and flaws in those projects account for quite a few of the 270 recommended patches. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

Oracle gets busy with Lazy FPU fix, adds more CPU Spectre-protectors

Oracle Linux and VM get their innoculations

Hands up who isn't fighting Oracle in court? HPE, for now, as Solaris support sueball tossed

Judge dismisses Big Red's 2016 copyright claim

Oracle's claims of secret deal is a bid to 'distract' from pay bias case, says US Department of Labor

Big Red is red, underpaid staffers are blue. No angry counter-claims can stop that being true

Now, hold on. This may shock you... Oracle allegedly juices its cloud sales with threats and shoddy on-prem support

Board of directors sued for 'failing to protect investors'

Billionaire Buffet's Berkshire liquidates $2.1bn stake in Oracle – months after buying the shares

Bill Gates' bridge chum's firm buys Red Hat stock

Oracle accuses US of underhand tactics because discrimination case 'doomed to fail'

Big Red claims Labor Dept has 'secret pact' with private plaintiff's lawyers

Oracle Database 18: Now in downloadable Linux flavour

Oh, and Windows, but cool kids don't use that

Pentagon cloud contract sueball: Oh no, Oracle doesn't need those docs, AWS tells court

Urges it to chuck Big Red's request to depose former Pentagon staffers, too

New Zealand health boards write down losses on Oracle implementation

End-of-year reports show impairment costs running into millions

Oracle throws toys out pram again, tells Federal Claims Court: Competing for Pentagon cloud contract isn't fair!

Address gate criteria, conflicts of interest – then we can play