Oracle has released its Critical Patch Update for July 2019 to include 319 vulnerability fixes across multiple products. The company also continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have been successful in exploiting vulnerabilities because organizations failed to apply the necessary Oracle patches. Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Oracle patches
Nine vulnerabilities were fixed in Oracle Database Server, one rated critical that impacts Core RDBMS (CVE-2019-11058). Also, two high risk vulnerabilities affect Oracle ODBC Driver (CVE-2019-2799) and Core RDBMS (CVE-2019-2776).
Oracle Communications Server had 24 security bug fixes. Hackers could exploit 21 of these vulnerabilities remotely and without authentication. Also, nine bugs are rated critical (CVSS base score of 9.8 or higher) and ten others are rated high severity.
Oracle patched 12 vulnerabilities (2 critical) in its Oracle E-Business Suite. 11 of them could also be exploited without requiring credentials.
The company also patched 12 vulnerabilities (3 critical) in its Oracle Enterprise Manager Products Suite. Ten of them could also be exploited without requiring credentials.
Oracle Financial Services Applications had a whopping 60 security fixes, 12 of them rated critical. To add, attackers could exploit 50 of them without authentication.
A large number of Fusion Middleware vulnerabilities were also patched to include 33 security fixes, 5 of them rated critical. All of the critical Fusion bugs and 23 others could be exploited without authentication.
In addition, Oracle patched 45 security issues in Oracle MySQL. The update includes one fix for a critical MySQL Server Packaging (cURL) vulnerability CVE-2019-3822.
Of additional note, Oracle also provided security fixes for the following products (with total and critical vulnerabilities patched for each):
- Oracle Berkeley DB Risk Matrix (5 total)
- Oracle Construction and Engineering Suite (8 total, 2 critical)
- Oracle Food and Beverage Applications (3 total)
- Oracle Hospitality Applications (2 total)
- Oracle Hyperion (3 total)
- Oracle Insurance Applications (7 total, 3 critical)
- Oracle Java SE (10 total)
- Oracle GraalVM (2 total)
- Oracle JD Edwards Products (5 total, 3 critical)
- Oracle PeopleSoft Products (8 total)
- Oracle Retail Applications (21 total, 3 critical)
- Oracle Siebel CRM (3 total)
- Oracle Sun Systems Products Suite (14 total, 4 critical)
- Oracle Supply Chain Products Suite (8 total, 2 critical)
- Oracle Support Tools (7 total, 1 critical)
- Oracle Utilities Applications (3 total, 2 critical)
- Oracle Virtualization (14 total).
Many of the vulnerabilities listed for these products can be exploited without authentication.
This month’s Oracle patch advisory also reveals a higher number and percentage of the Oracle product vulnerabilities are rated critical (9.0 or higher CVSS score).
System administrators should apply the necessary patches as soon as possible to mitigate the threats.