334 vulnerabilities found in Oracle; security patches already available

On a regular basis, technology companies’ vulnerability testing teams release updates to their systems, ensuring the proper functioning of their developments, as well as preventing the exploitation of recently found security flaws.

This is a permanent task, as threat actors don’t stop their search for new attack methods, thus sometimes companies must release dozens, even hundreds of updates to keep their systems secured. This is the case of Oracle, which has just released its first Critical Patch Update (CPU) of the year, consisting of 334 security patches aimed at fixing potential flaws in 94 different products.

This figure equals the record for fixes
released in the same update package, set on the January 2018 Oracle CPU. Among
the main 2020 CPU releases are two vulnerabilities present in Oracle Human
Resources that received a score of 9.9/10 on the CVSS
scale. Oracle vulnerability testing teams emphasize that authentication is
required to exploit this flaw.

Other 31 vulnerabilities present in various
products received a score of 9.8/10; affected deployments include:

  • Oracle
  • Oracle
    Communications Instant Messaging Server
  • Enterprise
    Manager Ops Center
  • Oracle
    Application Testing Suite
  • Hyperion
    Planning, among others

During the last few weeks the company received reports
on exploitation of these flaws in the wild, so system administrators are
advised to install this set of security patches as soon as possible.

In addition to the aforementioned errors, vulnerability
testing experts reported at least a dozen vulnerabilities in Oracle Database
Server exploitable remotely and without authentication. On average, these
errors received a score of 7.7/10 on the CVSS scale. In addition, at least 25
vulnerabilities were fixed in Oracle Communications Applications, including 20
remotely exploitable without authentication flaws. Other potentially affected
products include Oracle Fusion Middleware and the Oracle E-Business suite.

According to the International Institute of
Cyber Security (IICS), at least 190 of the flaws corrected on this Oracle CPU
are exploitable remotely and without the need for authentication in the target
system. The next Oracle CPU is scheduled to be released on July 14.

You Might Also Like