Oracle has released its Critical Patch Update for July 2018 that addresses 334 new security fixes across multiple Oracle products.
Administrators should take special note of critical vulnerabilities that can be remotely exploited without authentication.
For example, an Oracle Database Server ‘Oracle Spatial (jackson-databind)’ deserialization vulnerability (CVE-2017-15095) has a CVSS score of 9.8 and requires no authentication and low skillset/complexity to exploit.
Additional critical vulnerabilities and patches are listed for Oracle Global Lifecycle Management OPatchAuto (CVE-2018-7489) as well as Oracle Communications User Data Repository (CVE-2016-2099). Each carry a similar CVSS score of 9.8 and can be remotely exploited with no authentication.