Oracle issues massive security patches

Enterprise IT supplier Oracle has issued one of its largest security updates ever, plugging 128 holes in many of its major products.

The April 2013 Critical Patch Update or CPU applies to Oracle databases, fusion middleware, its e-business suite, Peoplesoft, Siebel, Sun Systems and other software.

Java, which is currently being targeted by malware writers, has received out of band patches from Oracle and the large patch contains relatively few fixes for the programming framework.

Instead, Oracle has issued a separate Java SE CPU for April, containing 42 security fixes for JDK and JRE 5.0, 6 and 7, plus JavaFX 2.2.7.

Oracle has advised customers to apply the patches as soon as possible, "due to the threat posed by a successful attack." Several patches close holes that are remotely exploitable, according to the product risk matrices published by Oracle.

However, the company notes that some of the fixes mean certain privileges and access to packages are removed, which could break application functionality.vAs a result, Oracle has advised that customers test first on non-production systems.

Large security patches have been issued by Oracle in the past, such as in February this year when it plugged fifty holes in Java to prevent mass drive-by zero day exploitation of customer systems.

In October 2010, Oracle issued a patch for 81 vulnerabilities, and in January 2011, a security fix covering 66 holes was followed by another update with 78 fixes in July the same year.

Like many other large vendors, Oracle issues patches on a fixed schedule, which it says is designed to avoid blackout dates during which customers cannot alter their production environments. Patches are issued on Tuesdays closest to the 17th day of the month, Pacific Time, in January, April, July and October each year.