Oracle updates fix 400 security vulnerabilities

With the quarterly updates in October Oracle eliminates 402 vulnerabilities in its extensive product range. In addition to numerous industry solutions, this also includes Java, VirtualBox and MySQL.

The US software manufacturer Oracle only holds its Patch Day every three months. Oracle speaks of "Critical Patch Updates" (CPU). Due to the extensive product portfolio and the rather long update cycle, there are regularly several hundred gaps to be filled. On the last CPU day of 2020 on October 20, there are 402. Many of the plugged gaps are classified as critical. For this classification, Oracle uses the industry standard CVSS 3.0 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. Microsoft has also been providing a CVSS score for some time.

Oracle has filled most of the gaps in its solutions for the financial industry. Of the 53 vulnerabilities, 49 can be exploited over the network without a user login, ten of which achieve the CVSS score 9.8. The well-known open source database server MySQL is on par, four of whose 53 gaps can be remotely exploited and only one achieves the CVSS score 9.8.

The software for the communications sector follows closely behind with 52 vulnerabilities. 41 gaps can be exploited remotely without logging in, ten of which have a CVSS score of 9.8. Fusion Middleware receives updates against 46 security holes, 36 of which can be exploited without registration, mostly via HTTP over the network. Of these vulnerabilities, 18 achieve the very high CVSS score of 9.8.

In Java SE (Standard Edition), Oracle has plugged a total of eight holes, all of which can be exploited over the network without a user logging in (CVSS maximum value 5.3). The latest Java generation 15, which was only introduced in September, already receives a security update with Java 15.0.1. Java 11 is a so-called LTS (Long Term Support) version and will be provided with updates for eight years - Java 11.0.9 is the latest version. In July, both Java generations each had eight fixed vulnerabilities.

With 1578 vulnerabilities eliminated this year and the next regular Oracle CPU Day is January 19, 2021.