Oracle has released its Critical Patch Update for October 2018, fixing 301 vulnerabilities across a wide range of its products, including Oracle Database Server, Oracle E-Business Suite, Oracle Java SE, and others.

“As with previous Critical Patch Update releases, a significant proportion of the patches is for third-party components (non-Oracle CVEs, including open source components),” Oracle Software Security Assurance Director Eric Maurice has noted.

This CPU is the last one scheduled for 2018, and brings the total number of vulnerabilities fixed in 2018 to 1119.

The update for Oracle Fusion Middleware, which incorporates a number of Oracle software products and spans multiple services, expectedly carries the greatest number of patches: 65.

56 of these 65 vulnerabilities can be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

Going by the number of vulnerabilities patched, Fusion Middleware is followed by Oracle MySQL (38), Oracle Retail Applications (31), and Oracle PeopleSoft (24).

Prioritizing patches

Oracle usually releases Risk Matrices for each vulnerability fixed to help administrators prioritize patches.

45 of the flaws patched this month carry a CVSS (Common Vulnerability Scoring System) score of 9.8 and can be easily exploited by less skilled, unauthenticated, remote attackers over a network.

One vulnerability – CVE-2018-2913 affecting Oracle GoldenGate, a software package for real-time data integration and replication in heterogeneous IT environments – has even received the maximum CVSS score of 10.0 (for platforms that are not Windows and Linux).

It affects versions 12.1.2.1.0, 12.2.0.2.0 and 12.3.0.1.0, and allows an unauthenticated attacker with network access via TCP to compromise the software.

Waratek noted that this CPU includes the first patch for Java 11.

“Java 8 is set for end-of-public support in January 2019, but the vast majority of patches in the Q4 and preceding updates address flaws in Java 8 and earlier versions of Java. In fact, this CPU includes fixes for CVEs dating back four years,” the company also warned.

“Only a relative handful of CVEs linked to Java 9, 10 and now 11, have been issued since the release of Java 9 in July 2017. Yet, various researchers continue to report that the vast majority of new enterprise applications continue to be written in Java 8.”

Oracle, as per usual, advises customers to remain on actively-supported versions and apply Critical Patch Update fixes without delay.

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company notes.