Oracle releases biggest-ever security update

Oracle has released its largest-ever set of security patches, addressing multiple critical vulnerabilities in software and hardware products that can be exploited remotely and without credentials.

Its July 2016 critical patch update contains no fewer than 276 security fixes, beating the previous record in January of 248.

While the company's notoriously insecure Java framework receives fixes for 13 issues in the July update - nine of which are remotely exploitable - Oracle's Fusion Middleware and Sun Systems product suites receive the most patches, with 39 and 34 each respectively.

Enterprise business applications such as Siebel CRM, JD Edwards, PeopleSoft, E-Business Suite, Supply Chain and others are also among those being patched.

The popular MySQL database gets 22 security patches, and nine fixes are available for the flagship Oracle Database.

Of the critical vulnerabilities, five are rated as having a high common vulnerability scoring system (CVSS) base score of 9.8.

Applications affected by vulnerabilities with CVSS base scores of 9.8 include Oracle's WebLogic Server, Directory Server Enterprise Edition, Hyperion Financial Reporting, Health Sciences Clinical Development Centre and Secure Global Desktop.

In all cases, succesful exploitation of the vulnerabilities remotely over a network could lead to attackers taking full control of the applications.

The company said it had received reports that attackers had succeeded in hacking Oracle customers who had failed to apply available patches, and strongly recommended the updates be applied immediately.

Business application security vendor ERPScan noted, however, that applying the patches might not be the easiest task for Oracle customers.

"Oracle systems are complex and multi-component, not speaking about numerous customisations every company usually has," ERPScan said.

"So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches."