Software company Oracle today released its latest batch of critical security patches for its ebusiness software products including Oracle Ebusiness Suite, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle Peoplesoft, Java and MySQL.
The company identified 136 security vulnerabilities, affecting 49 different products. It is the first time they have used the new CVSS v3.0 security vulnerability scoring system.
None of the vulnerabilities received the maximum score of 10 on the CVSS scale. However, 17 were rated critical, and a further 25 as high severity.
Alexander Polyakov, the CTO at cybersecurity firm ERPScan, said: “First of all, I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0. For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system. Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved.”
Some of the vulnerabilities identified by the new scoring system had previously gone undetected for years. According to Chris Goettl, the Product Manager at patch management firm Shavlik, the oldest of them dates back as far as 2011.
Goettl advises that users running the new patches should prioritise Java SE, MySQL and the Sun Systems Product Suite, since vulnerabilities in these products “stand a higher chance of being exploited”.
In order to ease the transition from CVSS 2.0 to 3.0, Oracle has released lists of the vulnerability scores using both scoring systems for comparison purposes. This is a one-off, and future lists will only be released using version 3.0. Rival ebusiness software provider SAP had already made the transition to version 3.0 last month.
Patches are released on a quarterly basis. The next batch is due in July.