By SecurityWeek News on July 20, 2016
Oracle on Tuesday released its Critical Patch Update (CPU) for July 2016 to address a total of 276 vulnerabilities across multiple products, including 19 critical security flaws that have a CVSS score of 9.8.
This month’s Oracle CPU contains a record number of fixes, after the January 2016 set of patches established another one, at 248 security fixes. More worrying than the sheer number of addressed vulnerabilities is that 159 can be exploited remotely without authentication.
Overall, the July CPU addresses 36 security issues in applications designed specifically for the Retail, Insurance, Health, Financial, and Utility industries. However, with 4 remotely exploitable vulnerabilities without authentication in sector-specific products, the Retail industry appears to have been affected the most.
These critical bugs have high-severity CVSS Scores between 7.0 and 10.0, and some of them are vulnerabilities in the HotSpot JVM internals, meaning that customers need to apply the Java CPU patches as soon as possible, John Matthew Holt, Java security expert and Waratek CTO, explains.
With a CVSS score of 9.6 and affecting Java SE 7 and/or Java SE 8, CVE-2016-3587 and CVE-2016-3606 are in the lead. CVE-2016-3550, which affects the HotSpot JVM internals for Java SE versions 6, 7, and 8 is on the list too, though with a much lower severity, given its CVSS score of 4.3.
“In circumstances where immediate physical patching is not feasible, organizations should apply virtual patching to provide immediate, interim security controls. Also, organizations should be actively planning for the frequency and depth of security fixes to increase in the years ahead,” Holt also says.
