System administrators have a busy time ahead of them after popular software company Oracle released a rather large security update containing 136 patches that will update flaws in most of its product range. The huge size of the company’s latest security update is a result of Oracle adopting a stricter scoring system for vulnerabilities throughout its packages. Although Oracle does have a history of sending out large updates, this time round the 136 vulnerabilities were found after Oracle began using the Common Vulnerability Scoring System (CVSS) version 3.0. The newer version provides improved accuracy when assessing the potential damage that can be caused by flaws as well as scoring them more precisely than CVSS 2.0. In a statement announcing the patch update, Oracle recommended users apply the fix as soon as possible. New Scoring System flags up Serious Vulnerabilities Chief among the security vulnerabilities that Oracle found using CVSS 3.0 was a serious issue that could be exploited by remote attackers who could then control the affected system. A few of these flaws were rated at the maximum level of vulnerability. Despite not showing up when tested using CVSS 3.O, up to five vulnerabilities had been rated at 10 by the older scoring system. The disparity is remedied by the fact that the CVSS 3.0 system scored 17 flaws as critical compared to 9 flagged up by its predecessor. At the same time, vulnerabilities with scores that are rated as high severity were numbered at 25 by the new test compared to only 12 found by CVSS 2.0. The 136 fixes contained in the Critical Patch Update cover a whole host of Oracle’s product range. The following products all had issues addressed in the update:
- Oracle Database Server
- Oracle E-Business Suite
- Oracle Fusion Middleware
- Oracle Sun Products
- Oracle Java SE
- Oracle MySQL