Although this critical update, complete with 270 fixes, is not the largest Oracle has issued, it’s a close second – trailing just six fixes behind the largest to-date, which was released in 2016.
The affected landscape deals mostly with business-critical applications, including: Oracle Database Server, Oracle PeopleSoft, Oracle E-Business Suite, Oracle JD Edwards, Oracle Fusion Middleware, Oracle Sun products, Oracle Java SE and Oracle MySQL. Many of the vulnerabilities in this bulletin can be exploited remotely, without authentication. Given the business-critical and financial data that could be exposed, it is highly recommended by Oracle to apply this update as soon as possible.
Of the 270 vulnerabilities, around 18 have a CVSS score of 9 or higher and one vulnerability hit the 10 mark. This 10 was awarded to Oracle Primavera and is addressed by CVE-2017-3324.
For Java SE, there are a total of 17 CVEs, with all but one able to be exploited without authentication. Nine of the Java vulnerabilities are user targeted and three have a CVSS base score of nine or higher. Although the score decreases slightly when not running with elevated privileges, the risk threat is still notable and the vulnerabilities need to be mitigated quickly.
Although Shavlik does not have patch content for all of the affected products, we have made the Java patches for this update available to our customers.