Oracle released its latest patch update on Tuesday and it’s the biggest yet, fixing a staggering 276 issues across over 80 products.
To put that in perspective, the average number of bugs patched by Oracle last year was 161, according to Qualys, making this quarter’s effort a huge undertaking for admins.
What’s more, of the 276 flaws, 159 can apparently be exploited remotely without authentication, increasing the pressure on the disparate teams which will need to leap into action to patch the databases, networking components, applications servers, OSes and ERP systems mentioned by Oracle.
There are also 28 bugs which have been given a CVSS score of over 9.0, making them “critical” – with the majority of these rated 9.8 out of a maximum score of 10.0.
Amol Sarwate, director of vulnerability labs at Qualys, claimed administrators should prioritize patches for the widely used Java SE which fix a total of 13 issues – nine of which can be remotely exploited.
OS and networking teams should focus on Solaris, Linux, Sun Blade and switches in the Oracle Sun Systems Products Suite, where there are 34 bugs. On the database side, MySQL with 22 issues is the one to watch, followed by the Oracle database server with nine flaws.
“Typically databases are not exposed directly to the internet but as they hold the crown jewels of any organization we recommend patching immediately,” said Sarwate.
When it comes to web servers, components accessible externally over the network like Oracle HTTP Server, WebLogic Server, and GlassFish Server should be prioritized, he added.
“These typically are included in the Fusion Middleware and 35 of the total 39 vulnerabilities are exploitable remotely without authentication,” said Sarwate. “There are also other components like Enterprise Manager Grid Control, E-Business Suite and Supply Chain Products where web servers from the respective components are affected and HTTP is the main attack vector.”
The bad news doesn’t end there.
On Wednesday, Cisco Talos claimed 18 of the bugs affected Oracle’s Outside In Technology (OIT) suite of SDKs, meaning that some popular third-party products including the Google Search Appliance, Microsoft Exchange and IBM WebSphere Portal could also be at risk.