If you are an Oracle customer then you should install April security update as soon as possible to fix 297 security flaw. Attackers may target firms that are slow in the update.
Of 297 flaws 53 are ‘critical’ security flaw with a CVSS score of 9.0 or higher. In fact, 49 of those have a CVVS score of 9.8. The April critical patch update includes fixes for 297 security flaws affecting Oracle’s Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft, and Siebel CRM.
Oracle is advising customers to “apply Critical Patch Update fixes without delay”.There is evidence that hackers are specifically targeting fixed exploits in the hope firms won’t have got around to patching them. What makes these exploit more dangerous is that 42 flaws can be exploited remotely without requiring user credentials.
Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” according to the company’s Wednesday advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply critical patch update fixes without delay.”
Status Of Flaws In Different Platform?
Oracle E-Business Suite has 35 security flaw in which 33 can be exploited remotely with user credential.
Patches for the Oracle E-business suite address 35 flaws, of which 33 can be remotely exploited without requiring user credentials, while the patches for Oracle Communications applications address 26 flaws, of which 19 can be exploited remotely, no passwords needed.
Oracle Fusion Middleware addresses 53 security flaw, of which 42 can be exploited remotely. Even 12 flaws have a CVSS score of 9.8. While, MySQL, Oracle’s open-source relational database management system received fixes for 45 security flaw.
Among the April 2019 patch update, 106 of the bugs were reported to Oracle by external researchers. Mateusz Jurczyk of Google Project Zero reported two of the five Java SE vulnerabilities, which are tracked as CVE-2019-2697, CVE-2019-2698.
It also noted that Oracle’s own ethical hacking team (EHT) breaks their products to find security flaw. And they found a significant part of these security flaws. Oracle’s next two critical patch updates are scheduled for 16 July and 15 October.
If you any these Oracle made product then the first thing you should do is to update your product as soon as possible.