Oracle releases July 2019 Critical Patch Update to address vulnerabilities across multiple products

Latest Oracle patch release addresses a mere 319 vulnerabilities across the company's enterprise software

Oracle has released its July 2019 Critical Patch Update - with the usual hundreds of patches to be applied across its various applications and infrastructure software.

The Update addresses 319 vulnerabilities in total, some of which are rated 'critical' and could be exploited by remote attackers to execute arbitrary code enabling them to take control of enterprise systems.

Of the 319 vulnerabilities address in the latest security update, 65 affect Oracle E-Business Suite (EBS). Of them, 13 vulnerabilities directly affect Oracle EBS technology stack components - all versions from EBS 12.1 to 12.2.8.

Oracle has warned that 12 of the 13 vulnerabilities affecting EBS stack components can be remotely exploited without authentication

According to Oracle, that means that it is simply not enough to have the latest version available, as users will also need to install the critical security update across their stack. Oracle has warned that 12 of the 13 vulnerabilities affecting EBS stack components can be remotely exploited without authentication.

Nine of the 65 vulnerabilities affect the Oracle database, of which one may be may be remotely exploited by attackers without authentication.

Oracle Fusion Middleware is affected by 33 vulnerabilities, while 10 vulnerabilities affect Oracle Java.

According to Onapsis, there are also some bugs present in the EBS Payments module, which stores information related to credit card and/or bank accounts. Successful exploitation of these vulnerabilities may enable an attacker to remotely execute arbitrary code in the server/client or to carry out a denial of service attack.

The July critical security update also contains fixes for Oracle WebLogic Server vulnerabilities, CVE-2019-2725 and CVE-2019-2729, for which Oracle issued security alerts in April and June.

Some of the vulnerabilities affecting Oracle Database, Oracle Communications Applications, Oracle Construction and Engineering Suite, Oracle Enterprise Manager Products have CVV score of 9.8.

"Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack," Oracle informed users in its advisory.

"For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack."

"Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem."

Last month, Oracle released a patch for WebLogic Server flaw that hackers had been actively exploiting in the wild. That critical remote code execution vulnerability, indexed as CVE-2019-2729, affected versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0 of WebLogic Server, according to the company.

Earlier in April, Oracle rolled out a 299-patch security update to fix a slew of vulnerabilities across a wide range of the company's software.