Oracle Critical Patch Update. What are the main risks?

From 2005 to the present day, Oracle releases quarterly its set of security patches (so-called Critical Patch Updates, or CPU) on Tuesday closest to the 17th day of January, April, July, and October. This quarter, regular CPU was published on 19th July. Since 2008, I have been contributing to this initiative, I was acknowledged in at least 15 Critical Patch updates and helped Oracle to fix around 50 security vulnerabilities (mainly in the database but also in business applications such as ERPs).

Oracle’s CPUs are known for their large volume (the average number of closed issues is 114, and for 2016 it already amounts to 220). The latest CPU is not an exception – it closes a record-breaking number of 276 vulnerabilities in different product families.

According to the data presented above, it is obvious that the number of the issues is growing. The given graph shows that just a year ago CPU number rose to a nearly 200-mark. This year, Oracle has overdone itself twice. The January CPU was named a “monster patch” in the media by its daunting volume of 248 fixes. However, the worst was yet to come. The number of vulnerabilities has reached its peak of almost 300.

However, one should take into account not only a number of patches, but also the criticality of issues they close. First of all, these vulnerabilities affect 81 Oracle’s product. To make matters worse, more than a half of vulnerabilities (159 of 276) can be exploited remotely without authentication and 19 received the CVSS base score of 9.8 – almost the highest rating.

It's not all bad news. 36 patches address vulnerabilities in industry-specific solutions, including 10, which can be exploited remotely without authentication.

In my opinion, these bugs are worth attention. Usually, most of the news sources cover Database and Java updates. Without a doubt, they are important, but frankly speaking, they don’t draw much attention, because Oracle admins got used to them.

What’s more important, they got used to closing them in time and monitoring the implementation process. Nonetheless, there is a number of applications people pay not much attention to. Often, vulnerabilities in these applications stay unpatched. You might have guessed, I mean industry-specific solutions.

Oracle vulnerabilities by industry

One of the features of this critical patch update is a significant number of vulnerabilities in applications designed to meet specific industry requirements. 36 security issues were fixed in Retail, Insurance, Health, Financial, and Utility solutions.


In Oracle for Retail components, there are 4 vulnerabilities, which can be remotely exploited without authentication. Each of them has almost highest CVSS score of 9.8. These issues were identified in the following application components:

  • Integration Bus,
  • Order Broker,
  • Service Backbone,
  • Inventory management.

As their names imply, these components have vital importance for Retail infrastructure and provide integration between other Oracle retail components and a company infrastructure, including other mission-critical applications. Attacks on these applications can disrupt business processes (e.g., payment, supply chain, etc.) in a retail company. In addition, an attacker can exploit these issues to completely control data transfer between components and, thus, commit fraud by changing some data during transfer. Here you can find more details about this critical patch update and Retail Cybersecurity issues.


Another remotely exploitable issue was identified in Oracle Health Sciences Clinical Development Center application that provides a centralized environment for storing and integrating all clinical data as well as a controlled solution for automating and managing analysis and reporting. Such information as electronic data capture (EDC), electronic patient reported outcomes (ePRO), labs, trial supply information, images, and other data sources can be found in this system.

Practical takeaway

As you might expect, Oracle strongly recommends its customers to implement the patches as soon as they are released. No doubt, it is easier said than done. Oracle systems are complex and multi-component, not to mention numerous customizations every company usually has. In other words, Oracle admins should be ready for arduous and time-consuming work of implementing all the patches. And once again, please remember that Oracle updates are not limited to don’t end up with just Java and Database.

Join the CSO newsletter!

Error: Please check your email address.

Tags cpuOracle Patch UpdatevulnerbilityCritical Patch UpdatesErpsIT SecurityOraclecyber security

More about BackboneOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Alexander Polyakov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts