237 security vulnerabilities in Oracle – do you patch?

At a recent conference presentation I attended, the presenter asked how many in the audience worked in an organization where all Oracle security patches were evaluated and installed as relevant. Less than 20% raised their hands. The remainder were evenly distributed among “we often install” and “we sometimes install”. That’s not good enough.

The end of January is one of those scary times of the year when Oracle announces the quarterly Critical Patch Update. This time, there are 237 vulnerabilities fixed, many of them of the worrying type that can be exploited remotely without authorization. These are the security holes that can be used by any hacker with access to your system. Pretty much the whole range of Oracle software contains vulnerabilities, including database, WebLogic, Identity Manager, WebCenter and almost all of the applications (E-Business Suite, PeopleSoft, J.D. Edwards). As always, there are also a number of Java vulnerabilities.

On a positive note, Oracle has published patches for the Spectre and Meltdown CPU bugs for Oracle Linux 6 and 7, both for the Unbreakable Enterprise Kernel and Red Hat Compatible Kernel. See Oracle support doc 2348448.1 for detail (Oracle support account required). 

Does your organization have a process in place to evaluate and install Oracle CPUs? You should have. Your organization might lose money and reputation if you don’t. And somebody might lose their job.


This post originally appeared in the Oracle Tool Watch newsletter. Sign up to receive a free copy of my whitepaper “What Oracle is Doing Wrong (and Right) in the Cloud“.