Oracle is urging clients to put in its April essential patch replace to guard themselves in opposition to attackers who’re focusing on companies which might be gradual to patch fastened exploits.
The April essential patch replace contains fixes for 297 safety flaws affecting Oracle’s Database Server, Fusion Middleware, Enterprise Supervisor, E-Enterprise Suite, PeopleSoft, and Siebel CRM.
There are additionally safety fixes for the corporate’s trade functions, Java SE, Oracle Virtualization, Oracle MySQL, and Solar Techniques merchandise.
This replace is barely larger than the January essential patch replace, which addressed 284 flaws throughout Oracle’s large portfolio.
SEE: A successful technique for cybersecurity (ZDNet particular report) | Obtain the report as a PDF (TechRepublic)
Oracle is advising clients to “apply Important Patch Replace fixes at once”, warning there’s proof that hackers are particularly focusing on fastened exploits within the hope companies will not have gotten round to patching them.
“Oracle continues to periodically obtain stories of makes an attempt to maliciously exploit vulnerabilities for which Oracle has already launched fixes,” Oracle’s safety advisory notes.
On this newest replace there are 5 essential flaws affecting JavaSE and all of them “could also be remotely exploitable with out authentication”, in response to Oracle.
The very best severity JavaSE flaw is tracked as CVE-2019-2699 and impacts Java SE: 8u202. It impacts Java deployments, reminiscent of purchasers operating sandboxed in Java Internet Begin apps or sandboxed Java applets that run code from the web. Oracle notes the flaw could be exploited via an online service that provides information to the APIs.
There are additionally fixes for 53 flaws affecting Oracle Fusion Middleware, of which 42 could be exploited remotely with out requiring consumer credentials. Twelve of the bugs have a severity ranking of 9.eight out of a potential 10.
Patches for the Oracle E-business suite handle 35 flaws, of which 33 could be remotely exploited with out requiring consumer credentials, whereas the patches for Oracle Communications functions handle 26 flaws, of which 19 could be exploited remotely, no passwords wanted.
Oracle MySQL obtained fixes for 45 new safety flaws. 4 of them could also be remotely exploitable with out authentication.
Among the many April 2019 patch replace, 106 of the bugs had been reported to Oracle by exterior researchers. Mateusz Jurczyk of Google Challenge Zero reported two of the 5 Java SE vulnerabilities, that are tracked as CVE-2019-2697, CVE-2019-2698.
SEE: Tech budgets 2019: A CXO’s information (ZDNet particular report) | Obtain the report as a PDF (TechRepublic)
Challenge Zero has now revealed proof-of-concept exploit code for the 2 Java SE flaws, which had been discovered whereas fuzz testing the software program. Jurczyk notes they had been each heap corruption flaws affecting the Oracle Java Runtime Atmosphere in model 8u202.
Microsoft’s Vulnerability Analysis staff in the meantime reported CVE-2019-2696, a regionally exploitable flaw in Oracle VM VirtualBox, which was certainly one of 15 flaws affecting Oracle virtualization merchandise.
As famous this month by Oracle chief safety officer Mary Ann Davidson, Oracle’s personal moral hacking staff (EHT) additionally hunts for bugs in its software program utilizing, amongst different issues, a fuzzing device referred to as “SQL*Splat”, which fuzzes SQL code.
“The EHT’s job is to aim to interrupt our services earlier than “actual” unhealthy guys do, and particularly to seize “bigger classes realized” from the outcomes of the EHT’s work, so we will share these observations (e.g. through a brand new coding normal or an automatic device) throughout a number of groups in improvement,” defined Davidson.
Oracle’s subsequent two essential patch updates are scheduled for 16 July and 15 October.
MORE ON ORACLE AND SECURITY