Oracle Ties Previous All-Time Patch High With January 2020 Updates (threatpost.com) 9
"Not sure if this is good news (Oracle is very busy patching their stuff) or bad news (Oracle is very busy patching their stuff) but this quarterly cycle they tied their all-time high number of vulnerability fixes released," writes Slashdot reader bobthesungeek76036. "And they are urging folks to not drag their feet in deploying these patches." Threatpost reports: The software giant patched 300+ bugs in its quarterly update. Oracle has patched 334 vulnerabilities across all of its product families in its January 2020 quarterly Critical Patch Update (CPU). Out of these, 43 are critical/severe flaws carrying CVSS scores of 9.1 and above. The CPU ties for Oracle's previous all-time high for number of patches issued, in July 2019, which overtook its previous record of 308 in July 2017. The company said in a pre-release announcement that some of the vulnerabilities affect multiple products. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible," it added.
"Some of these vulnerabilities were remotely exploitable, not requiring any login data; therefore posing an extremely high risk of exposure," said Boris Cipot, senior security engineer at Synopsys, speaking to Threatpost. "Additionally, there were database, system-level, Java and virtualization patches within the scope of this update. These are all critical elements within a company's infrastructure, and for this reason the update should be considered mandatory. At the same time, organizations need to take into account the impact that this update could have on their systems, scheduling downtime accordingly."
"Some of these vulnerabilities were remotely exploitable, not requiring any login data; therefore posing an extremely high risk of exposure," said Boris Cipot, senior security engineer at Synopsys, speaking to Threatpost. "Additionally, there were database, system-level, Java and virtualization patches within the scope of this update. These are all critical elements within a company's infrastructure, and for this reason the update should be considered mandatory. At the same time, organizations need to take into account the impact that this update could have on their systems, scheduling downtime accordingly."
patch bounty? (Score:2)
Perhaps they implemented some kind of internal patch bounty.
The only high at Oracle (Score:3)
FTLA (Score:2)
As an aside, the use of CPU as an acronym here seems excessively short-sighted.
Re: (Score:2)
It's a way for Oracle to increase licensing fees. See, they charge per CPU...
Re: (Score:2)
It's a useful and humorous writing pattern showing that a single action has positive and negative implications. I find no good reason to hate it.
Still no patch for Litigious Suit Larry. (Score:3)
He still randomly starts fucking everything that can't run away as soon as you try to move.
Major changes to OpenJDK? (Score:2)
Re: (Score:2)
Most Java is server side and not impacted by HTML5. It isn't going anywhere soon.