Oracle fixes hundreds of security holes in enterprise apps

Enterprise software vendor Oracle has addressed 254 vulnerabilities in its regular critical patch update for April, up slightly on the January set of fixes that handled 233 flaws.

Multiple severe vulnerabilities that allow easy, full takeover of Oracle applications by remote attackers are patched with the April 2018 update.

Unpatched Oracle applications most at risk of remote compromise include:

• Financial Services Market Risk Measurement and Management version 8.0.5
• Financial Services Hedge Management and IFRS Valuations version 8.0.4 and 8.0.5
• WebLogic Server versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3
• JD Edwards World Security versions A9.2, A9.3 and A9.4
• Retail Order Management System 4.0, 4.5, 4.7 and 5.0

The critical vulnerabilities in these applications are all rated at 9.8 out of 10 in the common vulnerability scoring system (CVSS).

All can be exploited by unauthenticated attackers, using HTTP connections, Oracle advised.

In total, the April 2018 update closed 42 vulnerabilites rated as critical, with CVSS scores higher than 9.0.

Oracle's Java application development, which has been criticised in the past for poor security, received 14 patches this month.

The most serious vulnerability in Java has a CVSS score of 8.3 and allowed attackers to bypass the application isolation "sandbox" when running untrusted code. 

However, Oracle said the vulnerability (CVE-2018-2525) is complex to exploit, and requires user interaction to succeed.

Oracle said it continues to receive reports about vulnerabilities that have been addressed are being exploited as administrators fail to apply the available patches.

The company is urging administrators to apply the April 2018 set of updates without delay to avoid the risk of being hacked.