Yesterday, Oracle released its quarterly critical patch update (CPU) for Q3 2018, the October edition. 301 vulnerabilities were patched.
From a total of 301 vulnerabilities, 45 were classified with a rating of 9.8 (on a scale of 10) and one even received the maximum 10 rating.
Vulnerabilities that receive these severity ratings can be exploited remotely, without authentication, and the exploit can be accessed by low-skilled hackers, even to those with no in-depth technical knowledge.
According to Oracle, the security team will publish more information about each vulnerability in the coming days,
Oracle’s security team will publish more information about each vulnerability in the coming days. This will give companies more time to update affected applications before details about each flaw are generally available to everyone, including the bad guys.
The vulnerability rated with 10.0 impacts the solution Impacts Oracle GondenGate, a data replication framework that can work with large quantities of information in real-time.
This issue doesn’t impact standalone GoldenGate installations, but also the numerous other Oracle product setups where GoldenGate can be deployed as an add-in option, such as the Oracle Database Server, DB2, MySQL, Sybase, Terradata, and others.
Vulnerabilities rated 9.8, these were reported affecting products such as the Oracle Database Server, Oracle Communications, the Oracle Construction and Engineering Suite, the Oracle Enterprise Manager Products Suite, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle JD Edwards, MySQL, Oracle Retail, the Oracle Siebel CRM, and the Oracle Sun Systems Products Suite.
Despite the staggering number of patched flaws, this isn’t Oracle’s biggest recorded CPU. That title goes to July 2018’s CPU, which addressed 334 vulnerabilities, 55 of which had a 9.8 severity rating.
This was also Oracle’s last CPU for 2018. According to the folks at ERPScan, in 2018, Oracle patched 1119 vulnerabilities, the same number of flaws it patched last year in 2017.
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.