Oracle has released the July 2016 Critical Patch Upgrade, and there is some scary stuff there. Oracle has moved to the new CVSS 3.0 rating, which is the only reason they don’t score any perfect 10s (absolute worst). But there is still 19 occurrences of the scary 9.8 score: Remotely exploitable without authentication and with low attack complexity.
Among the products with these critical bugs:
- Oracle Retail
- Oracle Health Sciences