What's in the Oracle's Critical Patch Update (CPU)?

Now it’s time for Administrators who work with Java applications and Oracle databases to realize what’s in store for them in the new security update from Oracle. More than a third of the security fixes affect Java, MySQL, and Oracle Database Server. Several of these vulnerabilities are considered critical and could be remotely exploited without requiring authentication, Oracle said.

 Oracle doesn't state in the Critical Patch Update (CPU) whether any of the vulnerabilities is currently being exploited in the wild. However, it warns that attackers continue to target security holes for which fixes are already available. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively supported versions and apply Critical Patch Update fixes without delay," the company said in an advisory.

Losing interest in database fixes

 The size of this CPU -- 136 fixes -- is actually the second smallest over the past year. Last April's CPU fixed a mere 98 flaws, but subsequent updates have been progressively larger, peaking at 248 patches in January's gargantuan CPU. More than the size of the CPU itself, what's striking is the small number of patches for Oracle Database. Past CPUs have hovered around 10 Oracle Database Server patches, but this month there are only five. Maybe it has something to do with April -- Oracle patched a mere four flaws last April.

MySQL still gets attention

 Oracle's lack of attention on databases may be confined to its flagship database since the CPU did not neglect MySQL. Of the 31 new security fixes for Oracle MySQL, four could be exploited remotely without authentication. Both critical vulnerabilities in MySQL Server's packaging subcomponent (CVE-2016-0705) and the critical vulnerability in MySQL Server's pluggable authentication subcomponent (CVE-2016-0639) affect versions 5.6.29 and earlier as well as 5.7.11 and earlier. Oracle assigned a CVSS 3.0 rating of 9.8 (CVSS 2.0 rating of 10.0) and warned that the attack complexity for this flaw was low, meaning attackers don't have to meet any special requirements to access the bug. A successful attack would result in total information disclosure and complete control over the targeted system.

Patch Java or dump it

 Oracle patched nine security flaws in Oracle Java SE, which affects Java applets and Java Web Start applications. All of the vulnerabilities can be remotely exploited without a username or password, but the severity depends on the level of privileges assigned to the user. If the user has administrator privileges -- unfortunately still common on Windows systems -- the severity is much higher than if the user has restricted access, a scenario more common for Linux and Solaris users.