Arthur T Knackerbracket has found the following story:
Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle's previous all-time high for number of patches issued, in July 2019. This overtook its previous record of 308 in July 2017.
The company said in a pre-release announcement that some of the vulnerabilities affect multiple products.
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible," it added.
The updates include fixes for Oracle's most widely deployed products, including the Oracle Database Server (12 patches total, three remotely exploitable without authentication); Oracle Communications Applications (25 patches, 23 remotely exploitable without authentication, six critical); Oracle Enterprise Manager (50 patches, 10 remotely exploitable without authentication, four critical); Oracle Fusion Middleware (38 patches, 30 remotely exploitable without authentication, three critical); 19 new security patches for Oracle MySQL (19 patches, six remotely exploitable without authentication); and the Oracle E-Business Suite (23 patches, 21 remotely exploitable without authentication, two critical).
-- submitted from IRC
(Score: 4, Insightful) by Barenflimski on Wednesday January 15 2020, @11:13PM (1 child)
What happened over at Oracle? Did they simply not pay any attention to security until last quarter? Did they install a new security team that knew what they were doing?
Somewhere in their development life-cycle it seems that they need to have some sort of QA. Then again when I need a patch, it doesn't matter how secure it is as long as things start to work on day 1. Sounds to me like their code is fumbled together with a secondary review of their code coming later in the process. If this is true, I can only imagine there are oodles of systemic issues that will never be ferreted out of the system without doing a complete rewrite.
(Score: 3, Interesting) by darkfeline on Thursday January 16 2020, @04:14AM
Or more likely, they have incompetent teams fixing the security issues on legacy code bases, such that each fix introduces at least one new issue.
Join the SDF Public Access UNIX System today!