The average time from the discovery of a vulnerability to a patch being issued is, for well-supported software, thirty days. In a best-case scenario, cybercriminals have a whole month to make the most of the exploit.Of course, it’s not always a best-case scenario. For example, in 2016, an SAP authentication vulnerability was patched that had first been reported way back in 2012. Any hacker looking to use this vulnerability to gain access to a system had the best part of four years to do so. And some business practices mean that there is much longer between a vulnerability being discovered and a patch being released—Oracle rolls all of its patches into a quarterly Critical Patch update, meaning there are potentially three months from a patch being created until it’s rolled out.The issues aren’t only on the software providers’ side—in fact, the biggest problems can be found with the users and businesses who fail to install patches. This isn’t … [Read more...] about Are ERP patches regular enough to be value for money?
Oracle critical patch updates
Video: Intel says can't protect all chips vulnerable to Meltdown and Spectre.Oracle has released patches for the latest Spectre CPU flaws and a fix for the Lazy floating-point unit (FPU) state restore issue affecting Intel CPUs. Oracle's updates address the Spectre CPU flaws revealed in May, including CVE-2018-3640, also known as Spectre variant 3a, and CVE-2018-3639, Spectre variant 4.The fix for Spectre version 4 needs both software and microcode updates, while fixing Spectre version 3a only requires microcode updates. Oracle has released software-based patches for Oracle Linux and Oracle VM with Intel's microcode updates for x86 hardware. Oracle director of security assurance, Eric Maurice, said the company will release more microcode updates and firmware patches as they become available from Intel. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Oracle has also released updates for Red Hat Compatible Kernel … [Read more...] about Oracle’s latest Linux fixes: New Spectre, Lazy FPU patches beef up defenses
Video: Oracle urges customers to install latest patch: It fixes 254 vulnerabilities.A bug that Oracle recently patched broke the main functionality of Oracle Access Manager (OAM), which should only give authorized users access to protected enterprise data. OAM provides an authentication function for web applications based on Oracle Fusion Middleware. It can be used to provide and block access to external mobile and cloud applications. However, researchers at Austrian security firm SEC-Consult found a flaw in OAM's cryptographic format that allowed them to create session tokens for any user, which the attacker could use to impersonate any legitimate user and access web apps that OAM should be protecting. As SEC-Consult explains, OAM-protected web servers feature an authentication component called an Oracle WebGate. When users attempt to access a protected resource from the web server, they're bumped across to an OAM page to enter a username and password. If successful, … [Read more...] about Oracle Access Manager security bug so serious it let anyone access protected data
critical patch update for April, offering 254 security fixes across 20 product sets.The database giant said customers should install the update as soon as possible, as attackers continue to attempt to exploit patched vulnerabilities. "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," it said.Eric Maurice, Oracle's director of security assurance, said about one third of the security fixes provided are for non-Oracle Common Vulnerabilities and Exposures (CVEs) that is, security fixes for third-party software components that are included in Oracle products. Oracle's January critical patch update provided patches for the Spectre and Meltdown processor vulnerabilities, and the April update includes one further Spectre update (for CVE-2017-5753) for the … [Read more...] about Oracle critical update fixes 254 flaws
Oracle released its first batch of security patches this year, fixing 270 vulnerabilities, mostly in business-critical applications. Many of the flaws can be exploited remotely without authentication. The majority of the fixes are for flaws in business products such as Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products and Oracle Database Server. E-Business Suite, which is used by companies to store key data and manage a wide range of business processes, accounts for more than 40 percent of the patched vulnerabilities -- 121. Out of these, 118 are remotely exploitable and the highest rated one has a score of 9.2 (critical) in the Common Vulnerability Scoring System. Another 37 vulnerabilities were patched in Oracle Financial Services, 18 in Oracle Fusion Middleware, eight in Oracle Retail Applications, eight in Oracle PeopleSoft and 4 in the Oracle Primavera Products Suite. These products … [Read more...] about Oracle patches raft of vulnerabilities in business applications