- Out of the 301 vulnerabilities, 45 had a severity rating of 9.8 and one of the vulnerability also received the maximum severity rating score of 10.
- Hackers could compromise a targeted system remotely, without any authentication process involved, by exploiting these vulnerabilities.
Oracle has released a wide range of critical security updates (CPU) to address a total of 301 CVE-listed vulnerabilities, in its different enterprise products. The updates have been released as part of Q3 2018, October edition of the updates. Out of the 301 vulnerabilities, 45 had a severity rating of 9.8 (on a scale of 10). One of the vulnerability also received the maximum severity rating score of 10.
Considering the number of vulnerabilities patched by Oracle in a single update, the latest update was not the biggest patch ever made by the company. The July 2018 CPU is considered to be the biggest security update released by Oracle till date, in which the company addressed 334 vulnerabilities out of which 55 were rated with a high severity score of 9.8.
Security vulnerabilities addressed by the critical security updates are listed in the massive advisory released by Oracle on Tuesday.
High severity vulnerabilities
The vulnerabilities that received high severity rating could allow hackers to exploit them remotely, without any authentication process involved. These critical vulnerabilities can even be exploited by an attacker without any specialized skills or technical knowledge.
The vulnerability that received a severity rating of 10 impacts the Oracle GoldenGate data replication framework. The issue also affects other Oracle product setups where GoldenGate can be deployed as an add-on such as the Oracle Database Server, DB2, MySQL, Sybase, Terradata and others, said a ZDNet report.
According to the Oracle advisory, critical vulnerabilities rated with a severity score of 9.8 were affecting products such as Oracle Database, Oracle Communications, the Oracle Construction and Engineering Suite, the Oracle Enterprise Manager Products Suite, Oracle Fusion Middleware, Oracle Insurance Applications, Oracle JD Edwards, MySQL, Oracle Retail, the Oracle Siebel CRM and the Oracle Sun Systems Products Suite.
Additional information not available
Additional information about each of the vulnerability will be published in the coming days said the Oracle security team. Furthermore, it also gives added time to the companies to update the affected applications, before the details of the vulnerability are made public and available to everyone, including the cybercriminals.“Oracle strongly recommends that customers apply security fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have security fixes announced in this Critical Patch Update, please review previous Critical Patch Update advisories to determine appropriate actions,” said the Security advisory.