News

Oracle fixes Struts and Shadow Brokers exploits in huge patch release

The quarterly Oracle patch update fixes almost 300 vulnerabilities

Romania Correspondent, IDG News Service |

Oracle headquarters
Credit: Magdalena Petrova
More like this

Oracle has released a record 299 security fixes for vulnerabilities in its products, including patches for a widely exploited vulnerability in the Apache Struts framework and a Solaris exploit supposedly used by the U.S. National Security Agency.

The Struts vulnerability allows for remote code execution on Java web servers and was patched on March 6. Attackers have quickly adopted it and have used it in widespread attacks since then.

Oracle uses Apache Struts 2 in several of its products, which is why Tuesday's critical patch update (CPU) fixed 25 instances of the vulnerability in Oracle Communications, Retail and Financial Services applications, as well as in the MySQL Enterprise Monitor, Oracle WebCenter Sites, Oracle WebLogic Server and the Siebel E-Billing app.

The company also fixed the vulnerability behind the EXTREMEPARR exploit for Solaris 10 that was leaked recently by a group called Shadow Brokers as part of a larger data dump of alleged NSA cyber tools. Another Solaris exploit that was part of the same arsenal and was dubbed EBBISLAND has been patched since 2012 in Solaris 10 Update 11, Oracle said.

Oracle's quarterly patch bundle contains fixes for 40 vulnerabilities that are rated as critical, 25 of which have the highest severity score of 10 in the Common Vulnerability Scoring System (CVSS). Overall, 162 out of the 299 patched vulnerabilities are remotely exploitable.

Oracle's applications for specific industry sectors -- financial services, retail, communications, utilities, hospitality, health sciences and insurance -- account for almost 40 percent of all security fixes this quarter, according to an analysis by security vendor ERPScan.

Oracle business-critical applications like Oracle PeopleSoft, E-Business Suite, JD Edwards, Siebel CRM and the Primavera Products Suite received 83 security fixes.

"Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that this option is more profitable," said Alexander Polyakov, CTO at ERPScan. "Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target."

On the database side, Oracle patched 39 vulnerabilities in MySQL and 3 in its Oracle Database Server. Java also received 8 security fixes.

Triaging and deploying the patches that make up this Oracle CPU, the largest ever for the company, will be a lot of work for systems administrators. The size of Oracle's quarterly updates has steadily increased over the years, raising the question of whether a monthly update cycle instead of a quarterly one wouldn't be more appropriate.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Related:

Lucian Constantin is an IDG News Service correspondent. He writes about information security, privacy, and data protection.

How much is a data breach going to cost you?
You Might Like
Most Popular
mcafee red shield
McAfee LinkedIn page hijacked

On Sunday evening, the LinkedIn page for McAfee was hijacked by a single person or an unknown number of...

car jumper
59% off RAVPower 14000mAh Portable Car Jump Starter - Deal Alert

A compact power bank, a car jump starter, and a LED flashlight, all fit into a minimal and portable...

bioshock game
50% off BioShock: The Collection for PlayStation 4 and Xbox One - Deal Alert

Return to the cities of Rapture and Columbia and experience the award-winning BioShock franchise like...

BrandPosts
Learn more
Popular Resources
Featured Stories
water bubbler fountain drinking
Protecting vital water infrastructure

Safe drinking water is a necessity for protecting public health and safety. Water systems in the United...

handsome male executive holding finger up to be quiet keep a secret
How to keep virtual assistants from sharing your company's secrets

Consumers love talking to Alexa, Siri, Cortana and Google Now. But what should CIOs be doing to prepare...

pi book
39% off Exploring Raspberry Pi: Interfacing to the Real World with Embedded

The innovators guide to bringing Raspberry Pi to life. This book favors engineering principles over a...

light coverplate
23% off SnapPower Guidelight - Outlet Coverplate with LED Night Lights - Deal

SnapPower is designed to look like a standard outlet cover by day with beautiful LEDs that provide...