Oracle has released its Critical Patch Update for April 2019 to include 297 vulnerability fixes across multiple products. Oracle continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have been successful in exploiting vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Six vulnerabilities were fixed in Oracle Database Server, one rated critical that impacts Core RDBMS (CVE-2019-2517) and another rated moderate that can be remotely exploited without authentication and also impacts Core RDBMS (CVE-2019-2582).
Oracle Communications Server had 26 security bug fixes, 19 of these vulnerabilities may be remotely exploitable without authentication. Nine were rated critical (CVSS score of 9.8 or higher).
Oracle patched 11 vulnerabilities (2 critical) in its Oracle Enterprise Manager Products Suite. Seven of them could also be exploited without requiring credentials.
A large number of Fusion Middleware vulnerabilities were also patched to include 53 security fixes, 14 of them rated critical. All of the critical Fusion bugs and 28 others could be exploited without authentication.
Of additional note, Oracle also provided fixes for the following products (with total and critical vulnerabilities patched for each):
- Oracle Berkeley DB Risk Matrix (1 total)
- Oracle Commerce (3 total)
- Oracle Construction and Engineering Suite (8 total, 4 critical)
- Oracle E-Business Suite (35 total)
- Oracle Financial Services Applications (14 total, 2 critical)
- Oracle Food and Beverage Applications (1 total)
- Oracle Health Sciences Applications (2 total, 1 critical)
- Oracle Hospitality Applications (5 total, 2 critical)
- Oracle Java SE (5 total, 1 critical)
- Oracle JD Edwards Products (8 total, 1 critical)
- Oracle MySQL (45 total)
- Oracle PeopleSoft Products (12 total)
- Oracle Retail Applications (24 total, 6 critical)
- Oracle Siebel CRM (8 total, 4 critical)
- Oracle Sun Systems Products Suite (3 total)
- Oracle Supply Chain Products Suite (5 total, 2 critical)
- Oracle Support Tools (1 total)
- Oracle Utilities Applications (6 total, 3 critical)
- Oracle Virtualization (15 total, 1 critical).
Many of the vulnerabilities listed for these products can be exploited without authentication.
This month’s Oracle patch advisory also reveals a higher number and percentage of the Oracle product vulnerabilities are rated critical (9.0 or higher CVSS score). At least in comparison to previous patch advisories in more recent releases. For example, April’s update included nearly 53 critical vulnerabilities fixed, as compared to last quarter’s 32 critical fixes (in January 2019).
System administrators should apply the necessary patches as soon as possible to mitigate the threats.