Oracle has issued patches for a record 299 security vulnerabilities including 40 critical bugs in its products, with one fix related to a recently disclosed NSA Solaris exploit.
The database giant’s April Critical Patch Update (CPU) easily beats the last major quarterly security update round in July 2016, when 276 bugs were fixed.
Of the 40 vulnerabilities rated critical (CVSS 9-10.0), more than half (25) are given the maximum CVSS rating of 10.0.
Oracle revealed that the patch for CVE-2017-3622 fixes a CVSS 7.8 flaw in the Common Desktop Environment of Solaris 10 which the NSA is alleged to have developed the “Extremeparr” tool to exploit.
That exploit is one of many thought to have been authored by the NSA’s Equation Group and leaked by the Shadow Brokers hacking group in a recent data dump.
Oracle also assigned CVE-2017-3623 to a vulnerability targeted by the “Ebbisland” exploit. It affects the Kernel RPC component of Solaris and could allow a remote hacker to take over the OS without authentication.
However, it will only affect those using unsupported versions of Solaris or those who haven’t yet patched the kernel in Solaris 10. A fix has apparently been available since January 2012.
According to an analysis by security vendor ERPScan, the average number of patches for Oracle has tripled in the past five years, from 91 to 284.
Some of the most serious (CVSS 10.0) this quarter are to be found in the Struts 2 component of MySQL Enterprise Monitor (CVE-2017-5638); Oracle FLEXCUBE Private Banking (CVE-2017-5638); Oracle Financial Services Asset Liability Management (CVE-2017-5638); and the Oracle Financial Services Data Integration Hub (CVE-2017-5638).
“Cybercrime has always been a lucrative business. Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that it is more profitable. Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target,” argued ERPScan’s CTO, Alexander Polyakov.
“The good news is that the vendor drew its attention to this critical area before a serious data breach happens. The bad news is that Oracle admins will long work on installing numerous patches.”