Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 2018 Critical Patch Update
Oracle this week released its July 2018 set of patches to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.
This month, 23 products from the enterprise security giant were patched, including E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft Products, Retail Applications, Siebel CRM, and the Sun Systems Products Suite.
More than 50 of the flaws addressed this month had a CVSS 3.0 Base Score of 9.8. Overall, 61 security bugs had a CVSS score of 9.0 or above, according to Oracle’s advisory.
“On the surface, the downward trend of Java SE patches would appear to be positive,” Apostolos Giannakidis, Security Architect at Waratek, told SecurityWeek. “However, several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.”
“The fix for the most critical Java SE vulnerability in the July CPU – CVE-2018-2938 – removes the vulnerable component (Java DB) from the JDK,” Waratek explained in a guidance note sent to SecurityWeek Wednesday. “Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications.”