Oracle's critical security update: 154 problems fixed in latest patch

Oracle's October critical patch update includes security updates and patches for 154 vulnerabilities including a flaw which allows an attacker full control over a vulnerable system.

The California-based company's October 2015 Critical Patch Update includes 154 fixes which patch holes in a wide range of products, including Oracle Database, Fusion Middleware, Hyperion, Enterprise Manager, Oracle Linux & Virtualization, Java and MySQL.

In total, 8 fixes have been issued for Oracle Database, and the most severe vulnerability allowed attackers to remotely exploit a system without authentication, potentially resulting in the total loss of system control by the user.

The vulnerability, CVE-2015-4863, has been given a CVSS Base Score of 10.0. In addition, three other database vulnerabilities were given a CVSS Base Score of 9.0.

Another security flaw at the top of the severity list impacts the Oracle Sun Systems Products Suite. CVE-2015-4915, which has been awarded a CVSS Base Score of 10.0, is a vulnerability related to the Integrated Lights Out Manager (ILOM) -- which, unfortunately, is used across a wide range of products.

Oracle has also provided 23 security fixes for Oracle Fusion Middleware, 16 of which are remote exploit flaws, one low-severity fix for Hyperion and five fixes for Oracle's Enterprise Manager Grid Control software.

The latest CPU also patches up 14 flaws in Oracle Industry Applications, four problems in Oracle Retail Applications and two in MySQL.

Every patch cycle we expect Java to make an appearance, and October's critical update is no exception. Oracle has patched up 25 vulnerabilities, 24 of which allow for remote execution -- and the highest risk score awarded to one of these flaws is 10.0.

In total, 20 of the vulnerabilities are browser-based, while the remaining five impact on client and server deployments.

Oracle states:

"Due to the severity of a number of vulnerabilities fixed in this Critical Patch Update, Oracle recommends that the necessary patches be applied as soon as possible.
As of October 19, the company's security team didn't have any indication that any of the most severe vulnerabilities fixed in this Critical Patch Update had been successfully exploited in the wild. However, it is our experience that malicious actors will often attempt to reverse-engineer fixes to develop exploit code in an attempt to attack organizations lagging behind in their patching effort."

The next critical patch update will be released on 19 January 2016.