What's big and red and needs 270 security patches?

Oracle software, that's what

By Simon Sharwood, APAC Editor

Posted in Software, 18th January 2017 04:38 GMT

Oracle has revealed its quarterly Critical Patch Update Advisory for January 2017, which offers users a buffet of 270 fixes to apply.

Big Red says that “due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.”

Where to start? Perhaps with the sole problem that rates a ten on the the Common Vulnerability Scoring Standard (CVSS) that Oracle uses to assess the scariness of bugs.

That bug impacts Oracle's Primavera project management product, which is susceptible to CVE-2017-3324, a remote code execution and/or denial of service bug present in Internet Explorer 9 and 11.

The Register counts three severity 9.8 bugs in Oracle Enterprise Manager Grid Control; a pair in the Fusion Middleware; and one each in Supply Chain Suite, PeopleSoft, Big Data Graph, JD Edwards and Oracle Communications Applications. Several refer to the same bug – CVE-2016-6303 – that NIST says is an “Integer overflow in the MDC2_Update function in crypto/mdc2/mdc2dgst.c in OpenSSL before 1.1.0 allows remote attackers to cause a denial of service (out-of-bounds write and application crash) or possibly have unspecified other impact via unknown vectors.”

Java has 16 bugs, rated from 9.6 to 3.1. That's half the 32 issues deserving of repair in Oracle's E-Business Suite and Fusion Middleware. Not far behind, with 27 patches apiece, you'll find MySQL's and Big Red's Flexcube banking code.

Plenty of the bugs aren't Oracle's fault: like most sensible software houses Big Red uses open source code and flaws in those projects account for quite a few of the 270 recommended patches. ®

Sign up to our NewsletterGet IT in your inbox daily

9 Comments

More from The Register

Due to Oracle being Oracle, Eclipse holds poll to rename Java EE (No, it won't be Java McJava Face)

Nor C-- or Should Have Used Go or Screw Ellison...

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

Rimini Street attempts to claw back more cash in Oracle copyright dispute

Support biz files court petition to recover additional $32m

Oracle slurps bot-wrangling security minnow Zenedge

Buy price not revealed

10/10 would patch again: Big Red plasters 'easily exploitable' backdoor in Oracle Identity Manager

Remote unauthenticated attack bug gets perfect CVSS score

This Valentine's day Oracle's given you 12 big red data centres

Flowering fleet will still trail Azure and AWS

US appeals court trims $50m off Oracle's take in Rimini Street law battle

Database giant happy as Larry that copyright infringement ruling allowed to stand, though

Oracle's Safra Catz joins Mickey Mouse board

It's a small world after all

Oracle: We've stuffed automation in 'pretty much' all our services

Firm in mega cloud tech push