The April 2018 Critical Patch Update (CPU) will keep system administrators busy with 153 vulnerabilities in business-critical applications alone.
Oracle Fusion Middleware is the most affected family with 39 vulnerabilities, followed by Financial Services Applications (36) and MySQL (33).
According to analyst ERPScan, 30 of the Fusion Middleware bugs can be exploited over a network without even needing to enter user credentials, making them critical to patch.
In total, there are 42 critical vulnerabilities in this CPU with CVSS base score 9-10. They go up to several vulnerabilities with CVSS scores of 9.8 in Oracle’s products including Fusion Middleware, Financial Services, PeopleSoft, EBS, and Retail Applications.
Of these, CVE-2018-7489 is a flaw in the Oracle Financial Services Market Risk Measurement and Management component of Oracle Financial Services Applications which could allow an unauthenticated attacker with network access via HTTP to hijack the product.
CVE-2018-7489 is an easily exploited vulnerability in the Oracle Financial Services Hedge Management and IFRS Valuations component of Oracle Financial Services Applications which allows an unauthenticated attacker to do the same as above.
CVE-2018-2628 allows an unauthenticated attacker with network access via T3 to compromise a Oracle WebLogic Server, while CVE-2017-5645 could allow a hacker to remotely take over JD Edwards World Security.
CVE-2017-5645 allows an unauthenticated attacker with network access via HTTP to compromise the Oracle Retail Order Management System.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the tech giant claimed. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.”
The update follows last quarter’s CPU which fixed products affected by one of the recently disclosed Spectre processor vulnerabilities.