14 DAY TRIAL // In its quarterly update train, Oracle addressed 136 security issues in 49 different product suites, among which were the Oracle database, Java, MySQL, Solaris, VirtualBox, SPARC, and Berkeley DB.
This Critical Patch Update (CPU) is the first one Oracle released using the CVSS 3.0 system instead of the old one, CVSS 2.0.
The Common Vulnerability Scoring Standard (CVSS) 3.0 was introduced in June 2015 and allows a more accurate classification of security problems, with grades from 0 to 10.
This new vulnerability ranking system is quickly taking over at all large companies, mainly because it takes into account a higher number of factors when assessing the impact of a security bug.
Oracle released April's CPU with both CVSS 2.0 and 3.0 scores, and a difference between the two can be viewed in the graphic below (courtesy of ERPScan), showing that more security flaws were labeled as critical and high than with the older system.
"First of all, I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0," said Alexander Polyakov, CTO at ERPScan. "For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system. Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved."
MySQL received the most security bugfixes
As for the actual fixes, the MySQL database received the most patches, 31, followed by the Oracle Fusion Middleware with 22, and Oracle Sun System Products Suite with 15.
Java also received nine patches, four of which were labeled critical, one high, three medium, and one low priority.
The four Java critical issues were CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, and CVE-2016-3427.
The first three are easy to exploit via various network protocols but require human interaction in order to execute their malicious code. The fourth is a little bit more difficult to exploit, but if successful, attackers may also impact additional products. Users should update to the latest Java version, which is Java 8u92.
