Oracle Critical Patch Update

Oracle has released the latest quarterly critical patch update (CPU). The database gets off lightly this time with two moderate severity vulnerabilities in SQL*Plus and the Oracle JVM. On the other hand, Oracle Secure Backup is not very secure with a bug that can be remotely exploited without authentication. Bad.

The Fusion Middleware stack gets 31 fixes, of which 20 are in the bad group of remotely exploitable without authentication. There is a lot of WebCenter stuff as well as some WebLogic and little Oracle Service Bus. Read the notes and update your environments.

Almost all of the Oracle applications (E-Business Suite, Siebel, J.D. Edwards) are also vulnerable, many through the critical Apache Struts 2 vulnerability (CVE-2017-5638). Oracle has fixed everything related to this Struts 2 bug in this CPU, but if you are running anything else based on Struts 2, make sure you update to a non-vulnerable version.

Leave a Reply