83% of products patched are open to remote execution without credentials
April 2021 Oracle Critical Patch Update:
The April 2021 Oracle Critical Patch Update (CPU) includes 390 patches across 36 product suites, a nearly 19 percent increase in CVE’s patched compared to the Q1 update. Of the 36 product suites patched in the update, 83 percent contain vulnerabilities that can be remotely executed without user credentials. Eighteen (18) product suites contain flaws with CVSS ratings of 9.1 or higher, including three products with scores of 10.0.
Other highlights include:
- More than half (56%) of the vulnerabilities patched can be remotely executed without user credentials.
- There are 70 Oracle patches and one third-party patch included for the Oracle E-Business Suite; 22 of the CVEs can be remotely executed. The highest CVSS score is 9.1.
- There are 45 patches for Oracle Fusion Middleware; 36 of the CVEs can be remotely executed. Six (6) have a CVSS score of 9.8 and can be remotely executed.
- There are 18 patches for Oracle PeopleSoft; 13 of the CVEs can be remotely executed. The highest CVSS score is 8.3.
- There are four (4) Java SE patches that address CVEs which can be remotely executed. Two (2) of the patches fix flaws in Java SE 7u291, 8u281, 11.0.10, & 16. The highest CVSS score is 7.5.
- There are no indications any of the CVEs pathed in the April 2021 Critical Patch Update are currently being exploited in the wild.
Non-Waratek customers should follow the recommended guidelines from Oracle for manually propagating the updated binary patches to your development and test environments, before moving into production.
For Waratek customers, a far simpler process applies. Waratek Patch and Waratek Upgrade customers will receive ARMR virtual patches that address the Oracle CPU CVEs as part of their agreements. Waratek Secure customers will receive ARMR policy recommendations for enabling built-in CWE mitigations that activate zero-day protection with zero tuning or configuration.
In all cases Waratek customers achieve immediate protection to their production applications with no downtime or interruption of service. With Waratek’s range of security agents, customers are protected in five minutes or less.
Waratek is the winner of the 2020 Cyber Defense Magazine’s Cutting Edge Award for Application Security, the Cybersecurity Breakthrough Award’s 2019 Overall Web Security Solution of the Year, and is a previous winner of the RSA Innovation Sandbox Award along with more than a dozen other awards and recognitions. For more information, visit www.waratek.com.