Oracle Critical Patch Update. What are the main risks?

From 2005 to the present day, Oracle releases quarterly its set of security patches (so-called Critical Patch Updates, or CPU) on Tuesday closest to the 17th day of January, April, July, and October. This quarter, regular CPU was published on 19th July. Since 2008, I have been contributing to this initiative, I was acknowledged in at least 15 Critical Patch updates and helped Oracle to fix around 50 security vulnerabilities (mainly in the database but also in business applications such as ERPs).

Oracle’s CPUs are known for their large volume (the average number of closed issues is 114, and for 2016 it already amounts to 220). The latest CPU is not an exception – it closes a record-breaking number of 276 vulnerabilities in different product families.

According to the data presented above, it is obvious that the number of the issues is growing. The given graph shows that just a year ago CPU number rose to a nearly 200-mark. This year, Oracle has overdone itself twice. The January CPU was named a “monster patch” in the media by its daunting volume of 248 fixes. However, the worst was yet to come. The number of vulnerabilities has reached its peak of almost 300.

However, one should take into account not only a number of patches, but also the criticality of issues they close. First of all, these vulnerabilities affect 81 Oracle’s product. To make matters worse, more than a half of vulnerabilities (159 of 276) can be exploited remotely without authentication and 19 received the CVSS base score of 9.8 – almost the highest rating.

It's not all bad news. 36 patches address vulnerabilities in industry-specific solutions, including 10, which can be exploited remotely without authentication.

In my opinion, these bugs are worth attention. Usually, most of the news sources cover Database and Java updates. Without a doubt, they are important, but frankly speaking, they don’t draw much attention, because Oracle admins got used to them.

What’s more important, they got used to closing them in time and monitoring the implementation process. Nonetheless, there is a number of applications people pay not much attention to. Often, vulnerabilities in these applications stay unpatched. You might have guessed, I mean industry-specific solutions.

Oracle vulnerabilities by industry

One of the features of this critical patch update is a significant number of vulnerabilities in applications designed to meet specific industry requirements. 36 security issues were fixed in Retail, Insurance, Health, Financial, and Utility solutions.


In Oracle for Retail components, there are 4 vulnerabilities, which can be remotely exploited without authentication. Each of them has almost highest CVSS score of 9.8. These issues were identified in the following application components:

  • Integration Bus,
  • Order Broker,
  • Service Backbone,
  • Inventory management.

As their names imply, these components have vital importance for Retail infrastructure and provide integration between other Oracle retail components and a company infrastructure, including other mission-critical applications. Attacks on these applications can disrupt business processes (e.g., payment, supply chain, etc.) in a retail company. In addition, an attacker can exploit these issues to completely control data transfer between components and, thus, commit fraud by changing some data during transfer. Here you can find more details about this critical patch update and Retail Cybersecurity issues.


Another remotely exploitable issue was identified in Oracle Health Sciences Clinical Development Center application that provides a centralized environment for storing and integrating all clinical data as well as a controlled solution for automating and managing analysis and reporting. Such information as electronic data capture (EDC), electronic patient reported outcomes (ePRO), labs, trial supply information, images, and other data sources can be found in this system.

Practical takeaway

As you might expect, Oracle strongly recommends its customers to implement the patches as soon as they are released. No doubt, it is easier said than done. Oracle systems are complex and multi-component, not to mention numerous customizations every company usually has. In other words, Oracle admins should be ready for arduous and time-consuming work of implementing all the patches. And once again, please remember that Oracle updates are not limited to don’t end up with just Java and Database.