Grab a cuppa: Time to sort out that Oracle patch batch

Oracle has released its latest quarterly Critical Patch Update on Tuesday, releasing updates to Fusion Middleware, Peoplesoft, E-Business Suite, MySQL, and several other products. Java SE also got patched.

This set of patches addresses 136 vulnerabilities in several product families, according to business application security specialists ERPscan. Most of the closed issues affect MySQL, PeopleSoft, and Fusion Middleware.

The oldest of the resolved vulnerabilities (CVE-2011-4461) dates back to 2011, according to Chris Goettl, product manager at patch management firm Shavlik.

Applying fixes for Java SE, MySQL and Sun Systems Products Suite ought to be prioritised for patching since vulnerabilities in these technologies “stand a higher chance of being exploited”, Goettl advises.

Oracle has decided to use CVSS v.3.0 (instead of CVSS v.2.0) to provide a more precise assessment of risks for now on. Enterprise software rivals SAP switched to the revised scoring system last month.

As a one off to ease the transition, Oracle provides two lists of advisories using both v. 2.0 and v3.0.

As the result of this threat index switch, there are no vulnerabilities rated at 10.0 (maximum severity) according to CVSS v.3.0.

Using the older CVSS 2.0 index, by contrast, seven vulnerabilities in the patch batch score a maximum. However, the overall number of critical issues with a CVSS of >9.0, according to new CVSS v.3.0 recommendations, comes out at 17. ®