Skip to main content
Tag

oracle

|||||

Who Are the Worst Vendors of 2019?

By News, Patch ManagementNo Comments

Who Are the Worst Vendors of 2019?

From the highest number of software updates to highest number of critical vulnerabilities, find out which vendors are the worst offenders.
[vc_empty_space]
[vc_single_image image=”29632″ img_size=”full” alignment=”center”]

2019 has brought serious threats causing massive disruption and data theft. Which vendor has released the most software updates and fixes in 2019, and of these, which updates are the most critical? Let’s find out!

The top 20 vendors look like this for 2019—this means Microsoft has released the most patches to fix a vulnerability of any severity out of the most popular software vendors.

[vc_single_image image=”29640″ img_size=”full” alignment=”center”]

Let’s see how the top 10 from this list compare when we deep dive into the severity of the vulnerabilities fixed. For simplicity, we will base our statistics on the CVSS Score.

What is a CVSS Score?

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. The numerical score can then be translated into a qualitative representation (such as low, medium, high, and critical) to help properly assess and prioritize their vulnerability management processes.

We can see that Microsoft have released a total of 6330 patches so far this year, with 2143 of these patches resolving a vulnerability with a CVSS score of 9 or higher. Just behind Microsoft in second place is Adobe – which has released 2052 updates.

Let’s take a look at how the most serious vulnerabilities impact the original ranking. We can see from the table below that the top 5 vendors have made significant movements and some are unexpected, e.g. IBM has moved out of the top 5 and Adobe has moved into the top 5.

[vc_single_image image=”29639″ img_size=”full” alignment=”center”]

Who’s the worst?

To continue this trend analysis review and to find out who has fixed the highest number of critical vulnerabilities, let’s compare the percentage of those threats against the total number of patches they have released this year.

We can do this by dividing all vulnerabilities with CVSS score more than 9 and dividing by the total number released by 100. The following table shows the new ranking of the vendors against the original ranking.

Robert Brown, Director of Services said, “What is really surprising is that a third party vendor to Microsoft has fixed more high priority vulnerabilities than them. If you do not have a strategy to include third party updates believing that only Microsoft needs to be patched, I hope this table convinces you to implement a different, more inclusive process. Not only that, some of these third party vendors like Oracle and Cisco are less likely to appear in a patching strategy which would expose a lot of your estate. Lastly, the toolset you use to patch your environment should be flexible to include other non-Windows operating systems like RedHat and Suse.”

[vc_single_image image=”29647″ img_size=”full” alignment=”center”]
[vc_separator css=”.vc_custom_1551288486254{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Start a Free Trial

Try Syxsense today and start patching your IT environment with a powerful and easy-to-use IT management toolset.
[vc_btn title=”Get Started with Syxsense” color=”warning” size=”lg” align=”center” link=”url:%2Fsyxsense-trial|||”]
||

Oracle Drops Critical Update Bomb

By News, Patch ManagementNo Comments
[vc_single_image image=”25308″ img_size=”full”]

Over 300 Vulnerabilities: 49 Rated as Critical

Oracle has just dropped its October 2018 update and it is a big one! Over 300 security flaws are addressed in this massive release. 49 of those flaws carry a critical CVSS rating (9 or higher).

One of these scored a ‘perfect’ critical rating of 10!

The flaw in question is CVE-2018-2913 for Oracle GoldenGate. According to Oracle’s Advisory, the flaw “may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.”

Of the remaining critical flaws, 45 have a CVSS rating of 9.8. This release is tackling a huge group of major vulnerabilities. Any organization running Oracle products should immediately scan their networks to figure out just how many devices require these updates.

Simplify Patch Management Tasks

If you want to make the patch management process more efficient, look to an IT solution such as Syxsense. The inventory scan feature can be set to regularly check your network and then display that information in easy to understand icons and graphs.

Then, move to the Patch Manager feature to set up a task to remediate the now obvious vulnerabilities. A task will be prepopulated for rapid deployment, or there are a multitude of controls to facilitate the update release strategy that works best for your unique environment.

Massive update bombs don’t have to wreak havoc on your work week. Discover a better way to manage your updates with Syxsense.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
||||||

Severe Oracle Vulnerabilities

By NewsNo Comments
[vc_single_image image=”24773″ img_size=”full”]

WebLogic Server Needs Immediate Patching

If you are using an Oracle WebLogic Server in your environment, you must patch it now.

This easily exploitable vulnerability allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server.

Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. To compound this further, it is currently being exploited and has been assigned a CVSS score of 9.8 out of 10.

More Oracle Updates

Oracle has released its July 2018 updates to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.

Robert Brown, Director of Services for Verismic said, “IT Managers are so focused on patching Windows, that they lose focus on the applications within their environment which can be exploited just as easy as the OS.”

Your patching strategy should accommodate all weaknesses. This includes the applications used within your environment.

All Oracle customers are advised to apply the fixes included in Oracle’s Critical Patch Updates without delay, as some of the addressed vulnerabilities are being targeted by malicious actors in live attacks.

[dt_default_button link=”url:https%3A%2F%2Fwww.syxsense.com%2Fsyxsense-trial%2F|||” size=”big” button_alignment=”btn_center”]START FREE TRIAL[/dt_default_button]
[vc_separator]

Affected Products and Patch Information

Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. The product area is shown in the Patch Availability Document column. Please click on the links in the Patch Availability Document column below to access the documentation for patch availability information and installation instructions.

Affected Products and Versions Patch Availability Document
Agile Recipe Management for Pharmaceuticals, version 9.3.4 Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.x Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.x Enterprise Manager
Enterprise Manager for MySQL Database, versions 13.2.2.0.0 and prior Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.8, 13.2.2 Enterprise Manager
Enterprise Manager for Peoplesoft, versions 13.1.1.1, 13.2.1.1 Enterprise Manager
Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3 Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 Enterprise Manager
FMW Platform, versions 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Hardware Management Pack, version 11.3 Systems
Hyperion Data Relationship Management, version 11.1.2.4.330 Fusion Middleware
Hyperion Financial Reporting, version 11.1.2 Fusion Middleware
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4 JD Edwards
MICROS 700 Series Tablet, versions Prior to BIOS 0.00.13ORC, Prior to BIOS 0.01.25ORC MICROS 700 Series Tablet
MICROS Handheld Terminal, versions 2018, Android 4.4.4 Security Patch Bulletin prior to February 1 MICROS Handheld Terminal
MICROS Kitchen Display Controller, versions Prior to BIOS 0.00.16ORC MICROS Kitchen Display System Hardware
MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6 Retail Applications
MICROS Relate CRM Software, versions 10.8.x, 11.4.x Retail Applications
MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x Retail Applications
MICROS Workstation 6, versions prior to BIOS 1.3.1.0, prior to BIOS 1.5.2.0, prior to BIOS 2.3.1.0 MICROS Workstation
MICROS XBR, versions 7.0.2, 7.0.4 Retail Applications
MySQL Client, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior MySQL
MySQL Connectors, versions 5.3.10 and prior, 8.0.11 and prior MySQL
MySQL Enterprise Monitor, versions 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior MySQL
MySQL Server, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior MySQL
MySQL Workbench, versions 6.3.10 and prior, 8.0.11 and prior MySQL
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle Application Testing Suite, version 10.1 Enterprise Manager
Oracle AutoVue VueLink Integration, versions 21.0.0, 21.0.1 Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle Banking Payments, versions 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0 Oracle Financial Services Applications
Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2 Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Communications Diameter Signaling Router (DSR), versions 7.x, 8.x Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE LNP Application Processor, version 10.x Oracle Communications EAGLE LNP Application Processor
Oracle Communications Interactive Session Recorder, versions 5.x, 6.x Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 3.x Oracle Communications Convergence
Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network Charging and Control
Oracle Communications Policy Management, version 12.x Oracle Communications Policy Management
Oracle Communications Session Border Controller, versions ECz7.x, ECz8.x Oracle Communications Session Border Controller
Oracle Communications User Data Repository, versions 10.x, 12.x Oracle Communications User Data Repository
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2 Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Oracle Endeca Information Discovery Studio, versions 3.1, 3.2 Fusion Middleware
Oracle Enterprise Data Quality, version 12.2.1.3.0 Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0 Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3.x, 8.0.x Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, version 8.0.x Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Funds Transfer Pricing, versions 6.1.1, 8.0.x Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.4, 8.0.5 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Profitability Management, versions 6.1.1, 8.0.x Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing, versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0 Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0 Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle Fusion Middleware, versions 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle Global Lifecycle Management OPatchAuto, version All Oracle Global Lifecycle Management OPatchAuto
Oracle Hospitality Cruise Fleet Management System, version 9.x Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.x Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Gift and Loyalty, version 9.0.0
July 26, 2018