Oracle has released its first quarterly security advisory for the year and it’s one of the biggest ever, fixing a whopping 270 vulnerabilities.
The firm made it clear admins should prioritize this update as soon as possible:
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
Over 100 (42%) of the patches are slated to fix issues in the Oracle E-Business Suite, 97% of which are remotely exploitable without authentication. This reflects a growing trend of vulnerabilities moving away from Oracle’s database and Java SE product sets, according to ERPScan.
Some 16 of the 270 fixes relate to flaws with a CVSS score of 9 to 10, meaning admins should jump on these fast.
The most critical of these is a CVSS 10-rated bug (CVE-2017-3324) in Primavera P6 Enterprise Project Portfolio Management software, which could allow an unauthenticated attacker to create, delete or modify business critical data.
Also ranked as requiring urgent attention are a CVSS 9.8 bug (CVE-2017-3248) in Oracle’s Oracle WebLogic Server; another (CVE-2016-6303) in PeopleSoft Enterprise PeopleTools; one (CVE-2016-6303) in JD Edwards EnterpriseOne Tools; and a vulnerability (CVE-2016-5019) in Enterprise Manager Base Platform.
Over the past five quarterly patch updates, only one has fixed fewer than 200 bugs. The record number of vulnerabilities still stands at 276, with the update issued in July last year.
The next update comes on 18 April, according to Oracle.