Oracle has released its latest Critical Patch Update round, this time addressing a whopping 121 bugs in a range of products.
There were five fixes for the Oracle Database Server, including two that could be remotely exploited without authentication.
Also featured were 22 fixes for Oracle Fusion Middleware, all but one of which were remote code execution flaws. One of these – CVE-2016-3455 – was allocated a CVSSv2 base score of 9.0.
Oracle’s Enterprise Manage Grid Control needed just two fixes, while the E-Business Suite was allocated seven, the Supply Chain Products Suite six, PeopleSoft Products 15, JD Edwards Products one, Siebel CRM two, Oracle Communications Applications one, Oracle Retail Applications three, Oracle Health Sciences Applications one, and Oracle Financial Services Software four.
There were nine fixes for Java SE - including four rated CVSSv2 10.0 - 18 for Sun Systems Products, four for Oracle Virtualization, 31 for MySQL, and five fixes for Oracle Berkeley DB.
In total, seven of the 121 flaws were rated the highest score on the CVSSv2 system of 10.0 – all of which “fit the pattern of those exploited in less than a month,” according to Shavlik products manager, Chris Goettl.
“With that in mind, I recommend the following priorities be added to your April Patch Tuesday activities: Java SE (four of seven), MySQL (two of seven) and Sun Systems Products Suite (one of seven) should be updated in this cycle,” he advised.
“I know many of you are already a week in, but these are vulnerabilities that stand a higher chance of being exploited before your next monthly patch cycle.”
Goettl explained that admins should check Metasploit to see if an exploit code for specific vulnerabilities is available.
“If it is in Metasploit, it is also in the threat actor’s hands,” he added. “Beyond that, things like public disclosures help to identify vulnerabilities that stand a higher chance of being exploited.”
Verizon’s Data Breach Investigations Report also provides a useful profile for bugs more likely to be exploited, Goettle claimed.