Oracle issues 270 critical patches

Oracle has released a large number of critical security patches for the first month of the year, with 121 updates alone for its E-Business Suite (EBS).

Its critical patch update (CPU) for January 2017 addresses a total of 270 vulnerabilities across Oracle's product portfolio.

According to security vendor ERPscan, 97 percent - or 118 vulnerabilites in EBS - are remotely exploitable without any authentication.

"A succesful attack against Oracle EBS allows an attacker to steal and manipulate different [types of] business-critical information, depending on the modules installed in an organisation," ERPscan said.

Of the vulnerabilities patched in the January 2017 CPU, 16 are rated as critical with a common vulnerability scoring system (CVSS) v3.0 rating of 9.0 or more.

One remotely exploitable flaw that doesn't require authentication or user interaction - identified as CVE-2017-3324 - has the highest possible 10 out of 10 CVSS score. It affects Oracle's Primavera P6 Enterprise Project Portfolio Management versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.

Just 17 patches for Java

Whereas Oracle EBS vulnerabilities outweigh others in the latest update bundle, the company's Java application framework - long criticised as insecure - saw comparatively few patches

Java SE, Jave SE Embedded, and JRockit received 17 patches for vulnerabilites that are in all cases remotely exploitable without authentication. 

Three of these - CVEs 2017-3289, 2017-3272, 2017-3241 - are rated as critical, with CVSS v3.0 scores of over 9.0.

The most serious flaw in Java - CVE-2017-3289 - affects the Hotspot compiler. Oracle said it applies to Java client deployments typically running sandboxed Java Web Start applications, or Java applets that load and run untrusted code. 

Java server deployments that run trusted code only are not affected by CVE-2017-3289, Oracle said.

The January 2017 CPU is the fourth collection with more than 200 patches in a year. Oracle released a CPU with 254 patches in October, 276 in the July 2016 CPU, and 248 in January last year, marking a steadily rising trend of vulnerabilites discovered over the past few years.