14 DAY TRIAL // Oracle released their quarterly critical patch update for October 2018 containing security fixes for over 300 different vulnerabilities, a lot of them remotely exploitable without the need of authentication.
Moreover, Oracle's Critical Patch Updates (CPU) are usually large collections of security fixes for Oracle's software products designed to allow customers with valid support contracts to quickly update their systems.
Oracle releases them on the Tuesday closest to the 17th day of January, April, July, and October, and it has set the next four CPU dates to 15 January 2019, 16 April 2019, 16 July 2019, and 15 October 2019.
The flaw with the highest base score in Oracle's October 2018 CPU is the CVE-2018-2913 affecting the Monitoring Manager subcomponent of the Oracle GoldenGate and allowing unauthenticated attackers to exploit the vulnerability remotely over a TCP connection.
The risk rating was so high because although this security issue only affects the Oracle GoldenGate real-time data integration and replication package, successful attacks can lead to the breaking into additional software products installed on the compromised machine.
Oracle GoldenGate's vulnerability in the Monitoring Manager component was the only one with a perfect 10 risk rating
"Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," says Oracle's advisory. "Until you apply the Critical Patch Update fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack."
Oracle's October 2018 CPU addresses security vulnerabilities found in 101 software products, ranging from well-known ones such as the Java platform, the Solaris OS, MySQL Server, and the VM VirtualBox to more obscure ones such as the Oracle Banking Platform, the Oracle API Gateway, and Oracle WebCenter Portal to name just a few.
"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," says Oracle. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches."
Moreover, "Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."