As part of its July 2021 Critical Patch Update, Oracle announced the release of 342 new security updates on Tuesday (CPU). Without authentication, more than half of the vulnerabilities addressed may be exploited remotely.
Oracle states in its advisory that around 50 of the vulnerabilities are of critical severity, with one of them having a CVSS score of ten.
The most serious of these vulnerabilities is CVE-2021-2244, a security flaw in Oracle Essbase’s (JAPI) Essbase Analytic Provider Services product that could be exploited remotely without authentication and lead to the complete takeover of the afflicted product.
“An unauthenticated attacker with network access via HTTP can compromise Essbase Analytic Provider Services thanks to an easily exploitable vulnerability. While the vulnerability is in Essbase Analytic Provider Services, Oracle warns that assaults could have a substantial impact on other products.
Fusion Middleware received the most patches in this quarterly round of updates, with 48 overall vulnerabilities addressed, including 35 that could be exploited by unauthenticated attackers from afar. There are 9 critical-severity bugs among them, with CVSS scores of 9.8 and 9.9.
MySQL (41 addressed issues – 10 of them remotely exploitable without authentication); Communications Applications (33 bugs – 22 remotely exploitable); Retail Applications (23 – 15); Financial Services Applications (22 – 17); E-Business Suite (17 – 3); and Database S (26 – 23) are among the Oracle software that will receive patches for a large number of vulnerabilities in the July 2021 CPU.
PeopleSoft, Systems Risk, Commerce, Construction and Engineering, Essbase, JD Edwards, Enterprise Manager, Java SE, Hyperion, and Virtualization are among the Oracle apps that have gotten patches this month.
The available fixes, according to Oracle, include blocking network protocols that attackers may exploit. In some circumstances, reducing rights that are required for an attack to succeed may also help to reduce the risk.
Overall, Oracle advises users to instal the available updates as soon as feasible, as this will considerably lower the risk of successful attacks. The IT giant also says it receives reports of malicious targeting of vulnerabilities for which security updates have been provided in the past but users have yet to apply.
“As a result, Oracle strongly advises users to stay on actively-supported versions and apply Critical Patch Update security patches as soon as possible,” the company says.
