Oracle has released its largest set of security fixes to patch 276 vulnerabilities in the firm's enterprise software. Nineteen of the fixes are rated 9.8 out of 10 for severity and will need the immediate attention of IT managers.
July's patches from Oracle outdo the company's previous record of 248 in January.
Enterprise software security company ERPScan said that most of the fixes relate to Oracle's Fusion Middleware and Oracle Sun Systems Products Suite, but 36 address vulnerabilities in industry-specific ERP systems.
This includes 10 that can be exploited remotely without authentication, making them particularly dangerous, and 16 affecting the retail sector.
More than 40 per cent of the patches are intended to fix flaws in Oracle's various enterprise resource planning applications, including Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server.
But the most critical problems, rated 9.8 out of 10 according to Oracle's own risk matrices, affect Oracle WebLogic Server, Oracle Director Server (enterprise edition), Hyperion Financial Reporting, Oracle Health Sciences Clinical Development Centre and Oracle Secure Global Desktop.
ERPScan said in a security blog post that the WebLogic Server vulnerability is "easily exploitable", and enables an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server.
Similar attacks affect Directory Server, Oracle Health Sciences and the Hyperion Financial Reporting package.
The Oracle Secure Global Desktop, meanwhile, suffers from an "easily exploitable" vulnerability that allows an unauthenticated attacker with network access via SSL/TLS to compromise Oracle Secure Global Desktop.
"Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop," said ERPScan.
"It is highly recommended that organisations patch all these vulnerabilities to prevent business risks affecting their systems.
"Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their check lists."
Q3 losses reverse Q2 gains
FBI briefing US companies to dump Kaspersky, claiming intelligence prove it a 'threat to national security'
Kaspersky rejects FBI accusations that its products are a 'threat to national security'
But breached contractor says that it simply didn't have that much data
EE follows Three in threatening legal action against Ofcom - but for entirely different reasons