With the quarterly updates in July, Oracle fixes 349 vulnerabilities in its extensive product range. In addition to a number of industry solutions, this also includes Java, VirtualBox and MySQL.
The US software manufacturer Oracle only holds its Patch Day every three months. Oracle speaks of “Critical Patch Updates” (CPU). Due to the extensive product portfolio and the relatively long update cycle, there are regularly several hundred gaps that need to be eliminated. In July there were at least 349 vulnerabilities. On the previous CPU day in April, there were even 520 gaps to fill.
A number of the eliminated vulnerabilities can be classified as critical. For the risk assessment, Oracle uses the industry standard CVSS 3.1 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. Microsoft has also been providing a CVSS score for fixed security vulnerabilities for some time.
The thickest chunks
Oracle has closed most of the security gaps in its product family for financial service providers. Of the 59 vulnerabilities, 38 can be exploited remotely without user login, 13 of which have a CVSS score of 9.8. Products for the telecommunications industry (Communications) follow closely behind. Of the 56 patched vulnerabilities, 45 can be exploited over the network without user login, four of which achieve the highest possible CVSS score of 10.0, and 13 vulnerabilities are just below that at 9.8. With 43 fixed vulnerabilities, the open source database server MySQL is also in the top group. Here, 11 vulnerabilities can be exploited over the network without user login, three achieve a CVSS score of 9.8. The latest MySQL versions (MySQL Community Server) are 8.0.29 and 5.7.38.
Oracle has closed a total of four vulnerabilities in Java SE (Standard Edition). Three are exploitable over the network without user login (CVSS max 7.5). The latest Java generation 18, which was introduced in March 2022, is already receiving its last security update with version 18.0.2 before being replaced by Java 19 in September. Java 17, on the other hand, like Java 11, is an LTS (Long Term Support) version. Both will be updated for eight years. For Java 17, version 17.0.4 is the latest, for Java 11, it is version 11.0.16.
▶The latest security updates
For users, Java 8 (JRE – Java Runtime Environment) remains primarily relevant. The latest version is Java 8 Update 341 (8u341). Java 8 will be provided with free security updates for private use for an indefinite period. Oracle wants to announce the end of support 18 months in advance. Companies and authorities, on the other hand, have had to pay for these updates since April 2019, but will be supplied with them until the end of 2030.
As a browser extension (JRE plug-in), Java only runs in the obsolete Internet Explorer 11 and in the Firefox/Gecko-based Waterfox Classic browser. In contrast to current Firefox versions (and Waterfox 4.x), this still contains the old NPAPI interface for plug-ins – and various security gaps that have not been addressed for years.
The open source virtualization solution VirtualBox is available in the new version 6.1.36. In it, Oracle fixed two vulnerabilities, one of which achieved a CVSS score of 8.2. As always, there are numerous bug fixes.
The next regular Oracle CPU day is October 18, 2022. Since April 2022, these dates have always been on the third Tuesday in January, April, July and October.