With quarterly updates in April, Oracle eliminates 520 vulnerabilities in its extensive product range. In addition to a number of industry solutions, this also includes Java, VirtualBox and MySQL.
The US software manufacturer Oracle only holds its Patch Day every three months. Oracle speaks of “Critical Patch Updates” (CPU). Due to the extensive product portfolio and the relatively long update cycle, there are regularly several hundred gaps that need to be eliminated. On the first CPU day of the year in January, there were 497 gaps to be filled, and in April even 520. This is the highest number of vulnerabilities ever patched by Oracle in one CPU day.
A number of the eliminated vulnerabilities can be classified as critical. For the risk assessment, Oracle uses the industry standard CVSS 3.1 (Common Vulnerability Scoring Standard), the highest value of which is 10.0. Microsoft has also been providing a CVSS score for fixed security vulnerabilities for some time.
The thickest chunks
Once again, Oracle has closed most of the security gaps in its products for the telecommunications industry (Communications). Of the 149 patched vulnerabilities, 98 can be exploited over the network without user login, two of them achieve a CVSS score of 10.0, and 31 vulnerabilities are just below that at 9.8. With 43 fixed vulnerabilities, the open source database server MySQL is also in the top group. Here, 11 vulnerabilities can be exploited over the network without user login, two achieve a CVSS score of 9.8. The latest MySQL versions (MySQL Community Server) are still 8.0.28 and 5.7.37.
▶The latest security updates
Java
Oracle has closed a total of six vulnerabilities in Java SE (Standard Edition). All are exploitable over the network without user login (CVSS max 7.5). The latest Java generation 18, which was introduced in March 2022, receives its first security update with version 18.0.1. A second and thus already the last update will follow in July before it will be replaced by Java 19 in September. Java 17, on the other hand, like Java 11, is an LTS (Long Term Support) version. Both will be updated for eight years. For Java 17, version 17.0.3 is the latest, for Java 11, it is version 11.0.15.
For users, Java 8 (JRE – Java Runtime Environment) remains primarily relevant, which is provided with free security updates for private use for an indefinite period. Oracle intends to announce the end of support 18 months in advance. Commercial users, on the other hand, have had to pay for these updates since April 2019, but will be supplied with them until the end of 2030. The latest version is Java 8 Update 331 (8u331). As a browser extension (JRE plug-in), Java only runs in Internet Explorer 11 and in the Firefox/Gecko-based Waterfox Classic browser, which, in contrast to current Firefox versions (and Waterfox 4.x), still uses the old NPAPI interface for plugins.
VirtualBox
An update to version 6.1.34 is available for the open-source virtualization solution VirtualBox. In it, Oracle has fixed five vulnerabilities, one of which has a CVSS score of 7.8, but only affects Windows systems. There are also numerous bug fixes.
The next regular Oracle CPU Day is July 19, 2022.
