Oracle’s April security update includes patches for 297 vulnerabilities across its product suite. Users of Oracle products have been advised to update the products as soon as possible to prevent the vulnerabilities from being exploited.
This is especially important for this security update as it includes 53 critical bugs that have been assigned a CVSS v3 base score of 9.0 or above. 47 of those have a CVSS v3 score of 9.8.
The patches address vulnerabilities in 23 Oracle products.
53 patches have been issued to correct vulnerabilities in the digital business platform Oracle Fusion Middleware, including more than a dozen flaws that have a CVSS score of 9.8. 42 of the bugs in Fusion Middleware can be remotely exploited without the need for credentials to be entered.
45 vulnerabilities have been corrected in Oracle MySQL, four of which can be exploited remotely without authentication and 35 patches have been issued for Oracle E-Business Suite, 33 of which can be remotely exploited without the need for any authentication.
26 flaws have been corrected in Oracle Communications Applications, 24 in Retail Applications, 15 in Oracle Virtualizations, and 12 in Oracle PeopleSoft Products.
A large percentage of the vulnerabilities do not require the use of credentials and can be exploited remotely. Attackers could potentially exploit the flaws to gain access to servers and gain a foothold in the network, move laterally, and search for and exfiltrate sensitive information. Many of the flaws are also easy to exploit, requiring little in the way of technical skill.
Full details of the vulnerabilities can be found on this page.