Oracle releases Critical Patch Update addressing 296 vulnerabilities

MySQL alone accounted for fixes for 44 vulnerabilities in Oracle's latest patch batch, while Fusion Middleware has 53 security flaws patched

Oracle has released a Critical Patch Update addressing 296 vulnerabilities across several of its software products.

The update includes fixes for Fusion Middleware, PeopleSoft ERP, the company's flagship database, the MySQL database, Oracle Supply Chain Management, retail applications, Oracle Commerce, Oracle E-Business Suite, Java SE, and virtualisation software - among many others.

Many vulnerabilities addressed in the April update are critical, according to Oracle, and could lead to remote exploits, if not patched.

The MySQL database product received patches for 44 vulnerabilities. Most of them were minor flaws, although attackers can remotely target three bugs, without requiring authentication.

For Fusion Middleware, the update addresses 53 vulnerabilities, 42 of which are remotely exploitable without requiring any authentication details.

Oracle has advised customers to use only actively-supported versions and to run Critical Patch Updates without delay

The company has fixed five vulnerabilities in Java SE. Each of these flaws can be exploited remotely to run malicious code without any user interaction. Oracle's security team gave a maximum 9.0 CVSS score to these vulnerabilities.

Oracle has also introduced new licensing requirements for Java SE. These licences will cover business customers using Java SE as part of another Oracle product. The consumer and developer versions of Java SE will continue to be free.

Oracle's Communications applications lineup received fixes for 26 vulnerabilities, 19 of which are remotely exploitable.

Its Database Server - once advertised as "unbreakable" - contained six vulnerabilities, of which one is remotely exploited and another is exclusive to the client software.

^{Oracle's 'Unbreakable' bus - as photographed by} ^{Mikko Hypponen}

April's Critical Patch Update also addressed 35 flaws in the E-Business Suite, 33 being remotely exploitable.

PeopleSoft applications were issued fixes for 13 vulnerabilities, eight of which can be exploited remotely without authentication. Meanwhile, the Solaris Unix operating system received patches for three flaws.

According to Oracle, several vulnerabilities that were fixed in this Critical Patch Update are capable of affecting multiple products.

Oracle has advised customers to use only actively-supported versions and to run Critical Patch Updates without delay.

"A Critical Patch Update is a collection of patches for multiple security vulnerabilities," Oracle explained.

It continued: "Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory.

"Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes."

Delta is a new market intelligence service from Computing to help CIOs and other IT decision makers make smarter purchasing decisions - decisions informed by the knowledge and experience of other CIOs and IT decision makers.

Delta is free from vendor sponsorship or influence of any kind, and is guided by a steering committee of well-known CIOs, such as Charles Ewen, Christina Scott, Steve Capper and Laura Meyer.

Ten crucial technology areas are already covered at launch, with more data appearing and more areas being covered every week. Sign-up here for your free trial of the Computing Delta website.