Oracle’s has released its first quarterly critical patch update of the year, urging customers to immediately apply the bundle’s 270 fixes to a number of its products.
Product families fixed in this update include Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
Oracle’s updates are typically large but the 270 fixes in this advisory are just short of Oracle’s record critical update last July, which contained 276 fixes.
As with previous updates, Oracle is urging customers to apply the updates “without delay” as “it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches”.
Security firm Qualys notes that over 100 of the flaws fixed in this update can be used by a remote attacker without requiring credentials.
Patches for Oracle’s FLEXCUBE financial applications make up 20 percent of this update, with a large share of fixes available for Oracle Applications, Fusion Middleware, MySQL, and Java, as well a significant number of fixes for Oracle retail applications, and PeopleSoft.
Overall, 16 of the 17 Java flaws are remotely exploitable without needing user logins, while five of the 27 MySQL flaws are remotely exploitable.
Qualys’ analysis of several popular databases shows that MySQL has seen most number of vulnerabilities by CVE tags over the past five years. The cloud security firm reports a 30 percent uptick in those vulnerabilities between 2015 and 2016.
Among the fixes are eight patches for Oracle’s retail applications, including one for MICROS, its POS systems. Oracle notes that a bug in the MICROS Lucas system is one of two that is remotely exploitable over the web and doesn’t require authentication. The other remote issue affects the Oracle Retail Order Broker.
POS systems have emerged as a prime target for malware designed to nab credit cards from retailer and hotel chains.
MICROS came into focus last year after Krebsonsecurity reported a serious breach of Oracle’s MICROS support portal, which is used by its retail customers. The portal was said to have been seen communicating with a server controlled by the Russian Carbanak, a notorious cybercrime gang.