Recent global malware outbreaks WannaCry and NotPetya exposed how much enterprises struggle with patching. Staying current with the latest security patches involves testing, preparing and deploying the updates and enterprises are lagging behind as each product has its own update schedule.It is easy to wag fingers about how it shouldn't take IT more than 60 days to deploy an update, but consider the current workload. On top of the regularly scheduled monthly updates from Microsoft and Adobe, some organizations may need to deal with the latest Cisco patches. Organizations are still working on closing the SMB vulnerability, especially the out-of-network updates for Windows XP and other unsupported systems. Enterprises with iOS devices need to prioritize the latest update to address a serious security flaw in its WiFi chip.Then there is Oracle\u2019s gargantuan Critical Patch Update (CPU), which fixed a whopping 308 vulnerabilities across its entire product portfolio. Over half, or 168, of the fixes address vulnerabilities that could be remotely exploited without needing any kind of user authentication.\u201cFor the second time this year, the latest Oracle patch release has reinforced the accelerating challenges cybersecurity teams face in keeping pace with software flaws and the malicious hackers that exploit them,\u201d said John Matthew Holt, CTO of Waratek.Databases aren\u2019t the focusOn the July CPU, 27 of the vulnerabilities fixed would be rated as critical, as they have a CVSS base score between 9.0 and 10.0. The most critical vulnerability, with the CVSS score of 10.0 was in the Oracle WebLogic Server component of Oracle Fusion Middleware (the JNDI subcomponent). An unauthenticated attacker with network access via HTTP could compromise and take over Oracle WebLogic Server 10.3.6.0 and 22.214.171.124. \u201cWhile the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products,\u201d ERPscan said in its analysis.Security holes in Java tend to have wide-ranging impact, as they can pop up in other applications. The latest CPU fixed 32 vulnerabilities in Java, of which 28 were remotely exploitable without authentication. Three Java SE, Java SE Embedded and JRockit vulnerabilities were considered critical, with a CVSS base score of at least 9.0. All affect multiple versions of the respective software.Oracle may be perceived as the \u201cdatabase company,\u201d but its flagship product Oracle Database Server hasn\u2019t been a major focus of the CPU in years, and that remains the case even with this monster update. The giant released only five patches for Oracle Database Server, three of which are remotely exploitable in the Oracle Secure Backup and Oracle Big Data Graph components included with the server. The CPU had 30 patches for MySQL, the database Oracle acquired as part of its 2009 Sun acquisition, of which nine were remotely exploitable without authentication.That\u2019s not to say there are no serious bugs left in the databases. Two of the three most critical vulnerabilities fixed in the CPU were in Oracle Database Server and MySQL. The vulnerability in the OJVM component (CVE-2017-10202) in Oracle Database Server 126.96.36.199, 188.8.131.52, 184.108.40.206\u00a0 has a CVSS base score of 9.9. A low privileged attacker with \u201cCreate Session, Create Procedure\u201d privilege who has remote access to the database over multiple protocols can compromise and take over the OJVM.[Related: Oracle fixes Struts and Shadow Brokers exploits in huge patch release]The third most critical flaw, with a CVSS base score of 9.8, is in the Monitor: General (Apache Struts 2) subcomponent in the MySQL Enterprise Monitor component of MySQL 220.127.116.1158 and earlier, 18.104.22.1681 and earlier, and 22.214.171.1242 and earlier. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP over TLS to compromise MySQL Enterprise Monitor.Vulnerabilities in business applicationsSo far in 2017, Oracle has patched 878 vulnerabilities across nearly two dozen product suites. Nearly two-thirds of the suites patched in this CPU are business critical applications, including the Oracle Hospitality Suite, Oracle E-Business Suite and Oracle PeopleSoft. Considering the breadth of Oracle\u2019s portfolio, the updates impact a large number of enterprise applications and data, making the process of testing and deploying patches even more of a challenge.Oracle fixed 120 vulnerabilities in Oracle E-Business Suite, of which 118 are remotely exploitable. Security company Onapsis said the critical information disclosure (CVE-2017-10244) flaw, if exploited, would let attackers download business documents and configuration files without needing valid user credentials. Attackers can find exposed vulnerable Oracle EBS systems using Shodan and send carefully crafted requests using specific parameters to bypass authentication. All the business documents that were attached by users across different EBS modules, regardless of format, can be downloaded using a single HTTP request.Oracle EBS versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are affected. \u201cThis vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Even systems in DMZ mode do not ensure these systems are not vulnerable,\u201d said Onapsis CTO Juan Perez-Etchegoyen.Considering the suite includes applications that handle CRM, financials, service and supply chain management, and procurement, among other critical business functions, impacted documents include invoices, resumes from potential job candidates, design documents, customer information, financial reports and others containing personal identifiable information (PII).\u00a0\u201cFinally, depending on the industry, the exposure of these documents could lead to costly compliance violations with SOX, PCI-DSS, NIST, PII and SPI Privacy Laws, to name a few,\u201d said Matias Mevied, the Oracle Security Specialist at Onapsis.ERPscan said the number of issues fixed in Oracle PeopleSoft, which includes PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management, during this single update was \u201calarming.\u201d For comparison, Oracle fixed 44 issues in PeopleSoft in all of 2016. Of the 30 vulnerabilities in PeopleSoft, 20 could be exploited over the network without requiring user credentials. More than 1,000 PeopleSoft applications are exposed to the Internet, making this another juicy target for attackers.[Related: Oracle patches raft of vulnerabilities in business applications]It is only recently that researchers have started digging into business applications such as Oracle EBS and PeopleSoft. They weren\u2019t originally built with security in mind and are typically not covered under traditional IT and security defenses. Considering the critical nature of these applications, securing these applications get tougher when downtime isn\u2019t an option.Not patching, or delaying, isn\u2019t an optionAttackers don\u2019t bother with zero-day vulnerabilities when they can exploit flaws that have been disclosed publicly. Just because a patch is available doesn\u2019t mean the software has been updated. Consider that the WannaCry ransomware worm easily spread globally because of the number of Windows systems that had not yet been updated with the security update. Security teams are overburdened and under-resourced; they cannot apply physical patches fast enough to stay ahead of the attackers. But these applications need to be updated\u2014they contain too many critical pieces of information to risk having them open to attack.