Oracle issues a record number of security fixes - with 19 rated about as critical as they come

Busy week of security patching for organisations running anything Oracle

Oracle has released a record number of fixes this week to patch a total of 276 vulnerabilities in its enterprise software packages - with 19 of the fixes rated 9.8 out of 10 for security. The avalanche of patches outdoes the company's previous record of 248, which was set in January.

According to enterprise software security company ERPScan, most of the fixes relate to Oracle's Fusion Middleware and Oracle Sun Systems Products Suite, but 36 of the patches address vulnerabilities in industry-specific ERP systems. This includes 10 that can be exploited remotely without authentication, making them particularly dangerous, and 16 affecting the retail sector.

More than 40 per cent of the patches are intended to fix vulnerabilities in Oracle's various different enterprise resource planning (ERP) applications, including Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, and Oracle Database Server.

But the most critical issues, rating 9.8 out of 10, according to Oracle's own risk matrices, affect Oracle WebLogic Server, Oracle Director Server (enterprise edition), Hyperion Financial Reporting, Oracle Health Sciences Clinical Development Center, and Oracle Secure Global Desktop.

ERPScan describes the WebLogic Server vulnerability as "easily exploitable". It enables an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. "Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server," warns ERPScan. Similar attacks afflict Directory Server, Oracle Health Sciences, and the Hyperion Financial Reporting package.

The Oracle Secure Global Desktop, meanwhile, suffers from an "easily exploitable vulnerability [that] allows unauthenticated attacker with network access via SSL/TLS to compromise Oracle Secure Global Desktop. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop", according to ERPScan.

It concludes: "It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their check lists."