19th July is slated for the release of a giant update being released by Oracle to cover further vulnerabilities in what appears to be a developing trend.
Rapid7's Ross Barrett, senior manager of security engineering, commented: "Relatively quiet Critical Patch Update (CPU) from Oracle this quarter. Relative is of course subjective to Oracle, since this gigantic pile of unrelated code fixes includes 89 distinct CVEs and touches 20+ distinct products.
The highest risk issue is scored with a CVSS of 9 because it’s remotely exploitable without authentication. This vulnerability in the XML Parser in Oracle’s Database Server is part of by a mixed bag of other vulnerabilities ranging from mild to serious.
Oracle Fusion middleware is seeing a lot of attention this quarter with 21 fixes, but nothing super critical. The highest CVSS score is 7.5, nothing to ignore.
Solaris is hit with two remote DoS attacks, plus a couple of local elevation of privilege issues.
With such a diverse range of products in this quarter’s patch, it's hard to tackle these from top to bottom with recommendations. I recommend patching any vulnerable Oracle Database Server instances ASAP and don’t neglect the stability or integrity of the Solaris deployment."
Craig Young, security researcher at Tripwire added: “The constant drumbeat of critical Oracle patches is more than a little alarming particularly because the vulnerabilities are frequently reported by 3rd parties who presumably do not have access to full source code. This month’s CPU credits 18 different researchers coming from more than a dozen different companies.
It’s also noteworthy that there every Oracle CPU release this year has plugged dozens of vulnerabilities. By my count, Oracle has already acknowledged and fixed 343 security issues in 2013. In case there was any doubt, this should be a big red flag to end users that Oracle’s security practices are simply not working.”
Read more about the Oracle patch update from GFI Software.