The Oracle July critical patch update issued today is the biggest to date. In total 276 security vulnerabilities have been addressed across 84 different products. Oracles previous record was 248 vulnerabilities in its January update.
The last update issued by Oracle addressed less than half the number of security vulnerabilities that are in the Oracle July critical patch update. More than half of the fixed vulnerabilities were classed as critical. 159 could be exploited remotely by malicious actors without authentication. 19 vulnerabilities had a CVSS 3.0 rating of 9.8. These vulnerabilities could be remotely exploited by a malicious actor without the need for any usernames or passwords.
The bugs could be exploited using cross-site scripting attacks, server-side request forgeries, SQL Injection, and OLAP DML Injection.
While many different products had security flaws fixed by the Oracle July critical patch update, Oracle Fusion Middleware received the most fixes with 40 vulnerabilities corrected, 35 of which could be exploited remotely. The Sun Systems Product Suite had 34 vulnerabilities addressed, 21 of which were remotely exploitable. 23 vulnerabilities in Oracle’s E-Business Suite were corrected, 21 of which could be remotely exploited. 13 vulnerabilities in Java SE were also addressed in the Oracle July critical patch update. Nine of those are remotely exploitable without authentication.
As Oracle administrators will be aware, implementing the patches is unlikely to be straightforward and given the sheer number involved the process will be time consuming and difficult. Oracle installations are usually complex, with most organizations having a variety of customizations.
As always, the priority should be the most critical vulnerabilities of which there are many. The most severe vulnerabilities affect 9 different suites of Oracle products. These critical updates should be prioritized. They correct critical vulnerabilities in Oracle’s Supply Chain Products, Oracle Communications Applications, Oracle Fusion Middleware, Oracle Health Sciences, Oracle Retail Applications, Oracle Sun Systems Products Suite, and Oracle Virtualization.