Security Watch

Keeping Track of patches and hacks in the IT security world.

Oracle Patches 136 Flaws in Critical Patch Update

Although the overall number of vulnerabilities in Oracle's software is high, there are just seven issues for enterprises to be concerned about.


Oracle released its quarterly Critical Patch Update (CPU) on April 20, providing its users with patches for 136 flaws spread across Oracle's software portfolio.

Oracle's namesake database server is being patched for a total of five new security vulnerabilities, two of which are remotely exploited without user authentication. The Fusion Middleware suite fares somewhat worse with 22 flaws, of which 21 are remotely exploitable. The PeopleSoft product suite is being updated for 15 security vulnerabilities, while Siebel CRM is patched for two.

Java, which was once the largest source of vulnerabilities for Oracle's CPU, is being patched for only nine flaws, though all of them are remotely exploitable over a network without the need for a username and a password. Oracle gained Java by way of its 2010 acquisition of Sun Microsystems.

Twelve out of 18 total flaws in the Oracle Sun System product suite, which includes the Solaris Unix operating system and SPARC firmware, are remotely exploitable without authentication.

Another former Sun technology was the source of the largest grouping of patches in the April CPU. The open-source MySQL database is being patched for 31 new CVEs, though only a pair are remotely exploitable without a username and password.

Chris Goettl, product manager at Shavlik, commented via email that the oldest flaw being patched in the April CPU is one that dates back five years to 2011. The CVE-2011-4461 vulnerability is in the Sun Storage Common Array Manager that is based on the Jetty Web Server. While Oracle is just patching the issue now, it only is rated as having a CVSS (Common Vulnerabilities and Exposure) score of 5, out of a possible 10, though it is remotely exploitable without user authentication.

All told, Goettl noted that seven of the patched vulnerabilities in the April CPU get a 10.0 score on the CVSSv2 scale.

"Seven out of the seven CVSS 10.0 vulnerabilities fit the pattern of those exploited in less than a month," Goettl stated. "With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle."

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.