Oracle has emitted its quarterly patch payload, along the way claiming an unwanted record by squashing an all-time-high 276 problems across 84 products.
That's Oracle's biggest bug list to date. Worse still, plenty of them with CVSS scores of 9.0 or above that indicate the problem is critical. Among those nasties are 19 9.8-rated flaws. CVSS only goes up to ten, so these are serious bugs.
Several hit different components of Oracle's Fusion Middleware range. GlassFish, WebLogic and Oracle's Directory server all need urgent attention. The latter has an “ Easily exploitable vulnerability [that] allows unauthenticated attacker with network access via HTTPS to compromise Oracle Directory Server Enterprise Edition.”
“Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition.”
Hyperion Financial Reporting also has big trouble, as it can be taken over by an unauthenticated attacked. The bug scores a 9.8. So do problems in Oracle Agile Engineering Data Management, Oracle Agile PLM, Oracle Communications EAGLE Application Processor, Oracle Communications Messaging Server, and Oracle Health Sciences Clinical Development Center and four of Big Red's retail applications.
The Oracle Secure Global Desktop isn't: it has a 9.8-rated SSL problem that means attackers could delete data or stage a denial of service attack.
Some old Sun networking kit will need patching, fast, as those old boxes' flaws are also rated 9.8.
Java gets off lightly this time – it's only got four bugs rated 9.6, but 13 to kill in total.
Oracle details all the patches here and offers a verbose version describing the bugs in detail here.
Big Red has a very, very, broad portfolio of products. So it's to be expected that there are some flaws across the range. It's also welcome news that Oracle is finding and acting on flaws. Yet it's hard to take comfort in July's colossal collection being such a jump from April's 136 patches, and also a hop from the 248 reported in January.
Happy patching, Oracle users. ®