Oracle drops another massive critical security update

Enterprise admins are being advised to urgently patch their Oracle products after the company released another vast set of fixes for critical, easily exploitable vulnerabilities.

A total of 253 flaws are taken care of in Oracle's October 2016 critical patch update (CPU), making it the second largest this year behind the July CPU and its 276 fixes.

The software giant has warned its e-Business Suite (EBS) versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.3 and 12.2.5 can be easily hacked over HTTP and has issued 23 fixes for the flaws. 

Oracle warned that 21 of the vulnerabilities "may be remotely exploitable without authentication, i.e. may be exploited over a network without the need for a username and password".

Security vendor ERPscan said it had found around 15,000 vulnerable Oracle EBS servers connected to the internet.

Oracle's tarnished Java application framework received only 13 fixes in the latest round of patches, nine of which can be exploited remotely without authentication.

How the October 2016 Oracle patches are spread across its product suite

Source: ERPScan

Besides application fixes, Oracle also released security patches for hardware such as network switches, SPARC-architecture servers, as well as its Solaris UNIX operating system and the VirtualBox virtual machine software.