Oracle has released a record-breaking 299-patch security update, with 40 of the patched vulnerabilites rated as 'critical' - including one in the Solaris operating system exposed by hacking group Shadow Brokers.
That vulnerability, along with 24 others, is rated 10 out of 10 for severity by the Common Vulnerability Scoring System (CVSS). A further 15 are rated as 'critical', with scores between nine and 10.
The series of patches breaks the company's previous record release - a mere 276 in July 2016 - but reflects a growth in the number of vulnerabilities that Oracle is being forced to patch: up from just 78 in January 2012, to more than 250 per quarter over the past year.
Furthermore, on the patches for 25 vulnerabilities rated 10 out of 10 by CVSS, a further 15 were rated critical.
Forty-seven of the patches are intended to fix financial services applications, while 39 are intended to fix vulnerabilities in the widely used open-source database MySQL.
One of the fixes for the Solaris operating system was highlighted by the recent Shadow Brokers release of hacking tools linked to the US National Security Agency.
A total of 39 are intended to fix vulnerabilities in retail applications, fixes that may go back to last year's serious breach of the company's MICROS retail systems unit - and Oracle isn't the only retail systems vendor that has been targeted.
Moreover, the release includes patches to fix vulnerabilities across the whole range of Oracle enterprise resource planning (ERP) software applications - PeopleSoft, E-Business Suite, JD Edwards, Siebel CRM, Oracle Financial Services, and Oracle Primavera Products Suite, with almost two-thirds of them exploitable remotely without the requirement for credentials.
"Oracle's critical patch update for April 2017 is characterised by the record-setting number of fixes addressing vertical applications. Security issues in Financial Services, Retail, Communications, Utilities, Hospitality, Health Sciences, and Insurance applications total 122 and account for 37% of all patches. Moreover, 61% (75) of them are exploitable remotely," warned ERP software security specialists ERPScan.
It also highlighted some of the most critical of the critical vulnerabilities that the patch-drop should fix:
Easily exploitable vulnerability in the Solaris component of Oracle Sun Systems Products Suite, which enables an unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly affect additional products. Successful attacks of this vulnerability can result in takeover of servers running Solaris. This is believed to be the flaw exploited by the hacking tool released by Shadow Brokers earlier this month;
- Easily exploitable vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. While the vulnerability is in MySQL Enterprise Monitor, attacks may significantly affect other products;
- Easily exploitable vulnerability in Oracle Financial Services Data Integration Hub that allows an unauthenticated attacker with network access via HTTP to compromise the software and can result in its takeover.
ERPScan also highlighted 10-out-of-10-rated vulnerabilities in Oracle's Flexcube Private Banking software.
Organisations need to patch their enterprise systems as a matter of priority, warned ERPScan chief technology officer Alexander Polyakov, as they are increasingly regarded as more lucrative targets for the most sophisticated cyber crime gangs than individuals.
"Nowadays, hackers set their eyes on enterprises more than on individuals, as they understand that they are more profitable targets. Taking into account that Oracle's products are installed in the largest enterprises, these applications can be their ultimate target.
"The good news is that the vendor drew attention to this critical area before a serious data breach happened. The bad news is that Oracle admins will have a lot of work to do installing numerous patches."
V3 also asked ERPScan whether the Oracle MICROS patches might be related to last year's retail systems' hack.
"We cannot say anything for sure, because the vendor does not provide many technical details of the closed issues," Polyakov told V3. "One thing that is safe to say is that the Oracle MICROS hack drew the vendor's attention to the retail application security, as the breach became notorious.
"The vulnerability affecting four MICROS subcomponents (CVE-2016-3506) is in Oracle Net, which enables a network session from a client application to an Oracle database server. Simply put, it is a kind of a data courier between a client and the server.
"According to Oracle's documentation, Oracle Net is installed on every workstation within the network. The bug seems critical as it is exploitable over the network without requiring any credentials and its impact on confidentiality, integrity and availability is assessed as 'high'."
Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.
Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.
Attendance is free to qualifying IT professionals and IT leaders - register now!
Infected apps have been downloaded more than 50 million times
Customers of regular price-raising ISP and cable operator claim nationwide outages started on Monday
Pixel 2 smartphones and a Pixel-branded laptop also planned by Google
The moment you've all been waiting for...