Oracle released a new set of patches. The next updates for Oracle products contain 219 patches; many of them close several vulnerabilities at once.
At the same time, some bugs affect different products – for example, the RCE vulnerability CVE-2019-14379 in the FasterXML jackson-databind software package, which provides functionality for converting JSON content into Java objects and vice versa. This library is used by Oracle web applications for finances, construction and retail; they all received the appropriate patch.“A Critical Patch Update is a collection of patches for multiple security vulnerabilities. These patches are usually cumulative, but each advisory describes only the security patches added since the previous Critical Patch Update advisory. This Critical Patch Update contains 219 new security patches across different product families”, — report Oracle developers.
Read also: Simjacker attack threatens users from 29 countries
More than half of the vulnerabilities closed by the vendor can be exploited remotely and without authorization in the system. Of these, 14 were rated as critical: they received at least 9 points on the CVSS scale. The most dangerous is CVE-2018-14721 – the possibility of server-side query spoofing (SSRF), found in NoSQL DBMS.
The degree of danger is estimated at 10 points out of ten possible. In addition to it, Oracle patched a dozen more bugs affecting its database server software; eight of them are tied to a relational DBMS.
Products of the Fusion Middleware family – 37 received the largest number of patches. Among them 32 vulnerabilities were totally eliminated (in addition to those contained in the Oracle Database). Eight of them were identified in various components of WebLogic Server.
34 patches were released for the MySQL database management system, and 20 for the Java SE platform. The popular set of business applications E-Business Suite, the PeopleSoft enterprise management system, Oracle VM VirtualBox, Solaris OS were also patched.
“Oracle continues to receive periodic reports of malicious exploitation attempts for which patches have already been released. Some attempts were successful, as the attacked user did not bother to apply the finished patch. In this regard, Oracle strongly recommends using only versions with active support and installing quarterly patches without delay”, – said in the newsletter of the company.