Oracle released its quarterly patch offering last week with fixes for 154 security vulnerabilities across a range of its products.
The products include Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.
One of the most notable flaws is CVE-2015-4902, used by Pawn Storm attackers to bypass the click-to-play protection in Java in a campaign against NATO members and the White House earlier this year, according to researchers at Trend Micro.
Vulnerabilities in Java and Middleware should come near the top of the priority list, as 24 and 16 of them respectively are remotely exploitable, according to Shavlik product manager Chris Goettl.
While patches often end up offered, but not always applied, Oracle software security assurance director, Eric Maurice, said system administrators should apply patches as soon as possible due to the “severity of a number of vulnerabilities fixed” in this update round.
“As of October 19th, the company’s security team didn’t have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited (some of these bugs were discovered internally as part of our ongoing assurance effort),” he said.
“However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort. Keeping up with security releases is important to help preserve a security-in-depth posture.”