The latest Oracle Critical Patch Update is the largest to date, with 248 fixes covering 24 product lines.
The Oracle Critical Patch Update program has been ongoing for 11 years, releasing patches four times a year. The security fixes cover 24 different product lines including but not limited to Oracle Database, Java SE, PeopleSoft, JD Edwards, Fusion Middleware, Fusion Applications, Oracle GoldenGate and E-Business Suite.
Although Oracle's blog keeps its tone mild about the Critical Patch Update, some of the vulnerabilities appear to be serious. For instance, Oracle GoldenGate has three security vulnerabilities that are remotely accessible, two of which rate the highest possible threat level on the Common Vulnerability Scoring System (CVSS).
Oracle uses the National Vulnerability Database's CVSS version 2 to report the risk posed by security vulnerabilities. The CVSS score is generated based on the access vector, access complexity, authentication, confidentiality, integrity and availability. It rates vulnerabilities on a scale of 10. A score of 0 to 3.9 represents a low threat, while 4 to 6.9 represents a medium threat and 7 to 10 represents a high threat. The Oracle GoldenGate vulnerabilities rate at 10.0, 10.0 and 5.0. In the Oracle Database, a vulnerability in the Oracle Java VM has a rating of 9.0. Not all of the CVSS scores are equally high. One MySQL Server vulnerability rates only a 1.7 on the CVSS scale.
Oracle recommends applying the Critical Patch Update as soon as possible and to stay on actively supported versions of Oracle. Some of the vulnerabilities affect current versions of Oracle products, but some affect older products. So, it's also important to check for outdated versions of Oracle products left on the server and remove them before they become security vulnerabilities. Furthermore, Oracle advises making sure that security alert for November 10, 2015 -- CVE-2015-4852 -- has already been applied and, if not, applying the fixes or performing the configurations.
The next Oracle Critical Patch Update will be April 19.
According to experts, Oracle patches need to come out more frequently
Oracle issues security alert for Java vulnerability caused by unpatched open source library
2015 saw an increase in security flaws and security patches