Oracle has released its Critical Patch Update for January 2019 to include 284 vulnerability fixes across multiple products. Oracle continues to receive reports of remote attackers attempting to maliciously exploit unpatched vulnerabilities.
In some cases, the malicious actors have been successful in exploiting vulnerabilities because organizations failed to apply the necessary Oracle patches.
Oracle strongly recommends “that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” as noted in the latest security advisory.
Only three vulnerabilities were fixed in Oracle Database Server and none of those are remotely exploitable without authentication.
However, Oracle Communications Server had 33 security bug fixes, 29 of these vulnerabilities may be remotely exploitable without authentication. Nine were rated critical (CVSS score of 9.6 or higher).
Oracle patched 62 vulnerabilities (5 critical) in its Fusion Middleware product.
Of additional note, Oracle also provided fixes for the following products (with total and critical vulnerabilities patched for each):
- Oracle Construction and Engineering Suite (4 total, 1 critical)
- Oracle E-Business Suite (16 total, 2 critical)
- Oracle Enterprise Manager Products Suite (11 total, 1 critical)
- Oracle Financial Services Applications (9 total, 3 critical)
- Oracle Food and Beverage Applications (6 total)
- Oracle Health Sciences Applications (6 total)
- Oracle Hospitality Applications (5 total)
- Oracle Hyperion (1 total)
- Oracle Insurance Applications (5 total)
- Oracle Java SE (5 total)
- Oracle JD Edwards Products (2 total, 1 critical)
- Oracle MySQL (30 total, 1 critical)
- Oracle PeopleSoft Products (20 total)
- Oracle Retail Applications (16 total, 5 critical)
- Oracle Siebel CRM (1 critical)
- Oracle Sun Systems Products Suite (11 total, 2 critical)
- Oracle Supply Chain Products Suite (5 total, 1 critical)
- Oracle Support Tools (1 total)
- Oracle Utilities Applications (2 total, 1 critical)
- Oracle Virtualization (30 total).
Many of the vulnerabilities listed for these products can be exploited without authentication.
System administrators should apply the necessary patches as soon as possible to mitigate the threats.