Oracle drops a whopping 299-patch security update

Enterprise systems administrators will have their hands full for the forseeable future with a record 299 security fixes issued by Oracle in its regular critical patch update for April 2017.

A number of the fixes apply to the Apache Struts 1 and 2 web app development tool which has been under active attack for the last two months.

Oracle is patching this vulnerability in several products including Webcentre Sites, Weblogic Server, Siebel CRM billing, communications appplications, financial services applications, retail applications, and MySQL Enterprise Monitor.

The Struts flaw has the highest possible 10.0 vulnerability rating, as measured by the common vulnerabilities scoring system (CVSS) version 3.0.

Overall, the April 2017 patch set addresses 40 vulnerabilities with a CVSS score of 9.0 to 10.0, meaning they are considered critical.

Security vendor ERPscan noted that 37 percent of the vulnerabilities affect Oracle's retail and financial applications.

One of the vulnerabilities reported to Oracle by ERPscan affects the company's e-Business Suite, which can be easily attacked using SQL command injection to silently siphon off database information remotely.

Oracle's Java SE coding and application framework, which has been derided in the past for poor security, only received eight fixes, however. The two most serious flaws to have been addressed are remote code execution vulnerabilities that affect the Java Abstract Window Toolkit (AWT) graphical user interface library, and which have a CVSS 3.0 score of 8.3 each.

A large number of people contributed security reports to Oracle for the April 2017 patch update. The company acknowledged no fewer than 72 researchers in this quarter's security bundle.