With quarterly security updates, Oracle fixed 441 vulnerabilities across its extensive product range in April. In addition to a number of industry solutions, these also include Java, VirtualBox and MySQL.

The US software manufacturer Oracle only holds its Patch Day every three months. Oracle refers to this as Critical Patch Updates (CPU). Due to the extensive product portfolio and the relatively long update cycle, there are regularly several hundred gaps that need to be eliminated. In April there were 441 vulnerabilities.

A number of the vulnerabilities that have been eliminated can be classified as critical. Oracle does not provide any information about whether vulnerabilities are already being exploited for attacks (0-day gaps). For risk assessment, Oracle uses the industry standard CVSS 3.1 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. Microsoft has also been providing a CVSS score for fixed security vulnerabilities for some time now.

The most important updates

Oracle has closed most of the security gaps in its product family for the telecommunications industry (Communications). Of the 93 vulnerabilities, 71 can be exploited via the network without user login, one of which achieves a CVSS score of 9.8. Fusion Middleware follows with 51 closed vulnerabilities. Of these, 35 can be exploited over the network without user registration, ten achieve a CVSS score of 9.8. Products for banks and financial services follow closely behind with 49 vulnerabilities, 30 of which can be exploited via the network and two of which achieve a CVSS score of 8.8.

With 36 vulnerabilities fixed, the open source database server MySQL is in the upper midfield. Nine vulnerabilities can be exploited via the network without user login, two achieve a CVSS score of 7.5. The latest MySQL (MySQL Community Server) versions available are 8.3.0 (“Innovation”) and 8.0.36. There have been no more updates for MySQL 5.7 since October 2023.

Java updates

In Java SE (Standard Edition), Oracle has fixed a total of 13 security holes, 10 of which can be exploited over the network without user login (CVSS maximum score of 7.5). Four of these vulnerabilities only affect GraalVM for enterprises. In March, Oracle released Java 22, which will be replaced by Java 23 in September. Java 21 from September 2023, however, is an LTS version (Long Term Support). Java 17 and Java 11 are also LTS versions. You will receive updates for eight years. The latest versions are versions 22.0.1, 21.0.3, 17.0.11 and 11.0.23. Starting with Java 9, Java-based applications provide what they need. In contrast to Java 8, you as a user usually do not have to install and update the Java runtime environment (JRE) yourself.

According to Oracle, Java 8 (JRE – Java Runtime Environment) remains relevant for users and is recommended by Oracle. The latest version is Java 8 Update 411 (8u411). Oracle has eliminated eight vulnerabilities. Java 8 will be provided with free security updates for private use for an indefinite period of time. Oracle wants to announce the end of support 18 months in advance. Companies and authorities, on the other hand, have had to pay for these updates since April 2019, but will receive them until the end of 2030.

As a browser extension (JRE plug-in), Java only runs in the obsolete Internet Explorer 11 as well as in Pale Moon (based on Firefox) and in the Waterfox Classic browser based on the old Firefox/Gecko code. In contrast to current Firefox versions (and Waterfox from 4.x), the latter still contains the old NPAPI interface for plug-ins - but also various security gaps that have existed for years. Pale Moon (current version: 33.0.2 from March 26, 2024) still has the old NPAPI interface, but is based on an independently developed Firefox fork. still runs on Windows 7 and continues to be maintained with security updates.

VirtualBox update

The open source virtualization solution VirtualBox is available in the new version 7.0.18. Oracle has eliminated 13 vulnerabilities, at least one of which can be exploited via the network. One or two loopholes may allow code from the VM to be executed on the host system. Support for version branch 6.1 officially expired in December 2023, the last version is 6.1.50.