Oracle Patches 136 Flaws In 49 Products

← Back to Stories (view on slashdot.org)

Oracle Patches 136 Flaws In 49 Products

Posted by msmash on Wednesday April 20, 2016 @06:10AM from the that's-gotta-be-a-record dept.

An anonymous reader writes: Oracle has released the April 2016 Critical Patch Update, which provides fixes for 136 vulnerabilities in 49 products, including Java SE and MySQL, the company's Database Server and E-Business Suite, its Fusion Middleware, and its Sun Systems Products Suite. "Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay," the company advised.

23 comments

Min score:

Reason:

Sort:

IOW Oracle in Software business by bulled · 2016-04-20 06:19 · Score: 1

and not completely terrible at it, only moderately bad.

I do like how they managed to call their customers idiots in the same announcement.
and in doing so by Hognoxious · 2016-04-20 06:19 · Score: 1, Funny

... and in doing so, introduces 243 bugs.

--
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
1. Re:and in doing so by Anonymous Coward · 2016-04-20 06:30 · Score: 1
  
  99 bugs in the code, 99 bugs in the code. Take one down, patch it around 127 bugs in the code
2. Re:and in doing so by Anonymous Coward · 2016-04-20 06:31 · Score: 0
  
  And thousands of support calls, and millions in support contract renewals.
3. Re:and in doing so by Hognoxious · 2016-04-20 07:00 · Score: 1
  
  And the price of support contracts doubles - retroactively.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
4. Re:and in doing so by Anonymous Coward · 2016-04-20 10:10 · Score: 0
  
  per core...
5. Re:and in doing so by Anonymous Coward · 2016-04-20 14:41 · Score: 0
  
  In other words, the products are done and ready to be released.
Do I still need to uncheck the "ask.com" box? by enjar · 2016-04-20 06:29 · Score: 1

I mean, does ask.com exist outside of people who updated Java searching how to make it go back to whatever they already had?
1. Re:Do I still need to uncheck the "ask.com" box? by ffsnjb · 2016-04-20 07:24 · Score: 1
  
  This time it was some Amazon crapware for me... Uncheck that box PDQ.
  
  --
  "Why do you consent to live in ignorance and fear?" - Bad Religion
"Actively supported" is the key here by ErichTheRed · 2016-04-20 06:31 · Score: 3, Interesting

Define "Actively Supported," Oracle.
I work in an industry whose IT ecosystem has lots of legacy baggage, and has strata of old systems that can be pinpointed to Programming Fad of the Year in the year they were built. Worse yet, my specialty is end user stuff, so my job lately has been to try to clean some of this up. We've got insanely complex Java applets, lots of really old Flash web stuff, Visual Basic 6 that heavily relies on towers of COM+ libraries, web apps that use every single quirk of IE 6, massive ActiveX applications that require scary levels of local permissions to function, and so on. To make it fun, the nature of our industry is such that these are mostly bespoke, one off applications written by companies that don't exist anymore, people we can't find, or consultancies that want millions of dollars for upgrades. Getting this all working on modern systems is a huge challenge, especially when your new normal is supporting non-quirky applications from the present day that are pretty well behaved.
Oracle doesn't make this any easier by not patching flaws in older JREs or other software if you don't pay for extended support. In fact, one issue I had that's thankfully gone now was Oracle's own financial product relying on Oracle's own recompiled JRE (the "JInitiator." Under the covers, Oracle still is patching these security holes for customers who pay an exorbitant license fee to run the "free" client side JRE. They don't release them to the public, ostensibly to get consumers to upgrade, but we know the real reason.
I know companies can't support software forever, but the previous (pre Sun/Oracle merger) environment encouraged client side Java use by giving away the JRE and JDK for free and keeping them patched. Now, applets and browser plugins are a bad idea, everyone realizes this now. But software from the early to mod 2000s relies heavily on them.
1. Re:"Actively supported" is the key here by guruevi · 2016-04-20 07:03 · Score: 1
  
  And at what point do your clients realize that all of the above behavior by companies can be avoided by simply using/writing open source solutions?
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
2. Re:"Actively supported" is the key here by Ash-Fox · 2016-04-20 08:02 · Score: 1
  
  And at what point do your clients realize that all of the above behavior by companies can be avoided by simply using/writing open source solutions?
  How does using an opensource fix this?
  Woo, I changed the licensing on my applet to GPLv3, still didn't do anything.
  
  --
  Change is certain; progress is not obligatory.
3. Re:"Actively supported" is the key here by Anonymous Coward · 2016-04-20 09:00 · Score: 0
  
  Now that .Net and Xamarin is open sourced, perhaps those clients will turn to the righteou$ path. ;)
4. Re:"Actively supported" is the key here by guruevi · 2016-04-20 10:11 · Score: 2
  
  At least you'll have access to the source code and can give it to a new contractor for further work/fixes. The main problem as GP states is that you get binaries from organizations that either no longer exist or turn into extortionists to fix anything. If you have the source, at least that is no longer a valid excuse.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
5. Re:"Actively supported" is the key here by Anonymous Coward · 2016-04-20 10:30 · Score: 0
  
  And at what point do your clients realize that all of the above behavior by companies can be avoided by simply using/writing open source solutions?
  Yeah, you can hire someone to backport TLS1.2 onto RHEL 3.
  Riiiight. Sure you can.
  What color is the sky on your planet?
6. Re:"Actively supported" is the key here by Ash-Fox · 2016-04-20 11:44 · Score: 1
  
  At least you'll have access to the source code and can give it to a new contractor for further work/fixes.
  I used to work in a big consultancy company; that rarely worked as a solution because they'd always realize they'd have to rewrite everything due to the amount of effort to learn the vast enterprise product that was already broken fundamentally.
  
  you get binaries from organizations that either no longer exist or turn into extortionists to fix anything.
  I've been on projects where opensource solutions were used primarily for almost everything, with exception to certain parts of the application where they did have the sources too (it just wasn't FOSS) and were essentially in the same situation, so I don't see how this helps.
  
  --
  Change is certain; progress is not obligatory.
7. Re:"Actively supported" is the key here by K.+S.+Kyosuke · 2016-04-20 13:25 · Score: 1
  
  I work in an industry whose IT ecosystem has lots of legacy baggage, and has strata of old systems that can be pinpointed to Programming Fad of the Year in the year they were built.
  That's awfully non-specific because this applies to, like, all of them.
  
  --
  Ezekiel 23:20
8. Re:"Actively supported" is the key here by jandersen · 2016-04-20 23:41 · Score: 1
  
  They don't release them to the public, ostensibly to get consumers to upgrade, but we know the real reason.
  We do indeed: they want customers to upgrade. There is no reason to expect otherwise - it is common practice that SW companies don't want to have to keep patching old versions, because 1) there is a new version in which the flaws are being fixed, and people should upgrade, and 2) it is an expense that you get no reward for. I think it is perfectly reasonable that you only want to do this work, if you are payed - many companies won't, even for good money.
In other news. by idbeholda · 2016-04-20 06:44 · Score: 2

Notepad is still the current reigning champion of being exploit-free since 1985.
1. Re:In other news. by ErichTheRed · 2016-04-20 06:53 · Score: 1
  
  It's funny you mention that, but it makes sense. Simple software with simple features is hard to screw up security-wise. Abstraction, feature bloat, relying on massive third-party libraries you don't control, etc. are usually the root cause of these problems.
  Then again, in the Windows world, once in a while an exploit comes completely out of left field. I think a few years ago there was a patch for Windows Paint of all things, and an exploit in the code for the font subsystem. Talk about stuff that never changes...
2. Re:In other news. by guruevi · 2016-04-20 07:13 · Score: 1
  
  You forgot all about: CVE-2011-1991 and there must have been several others but I can't be bothered to look it up. Try opening Notepad with a debugger attached, you see all kinds of crap being loaded including IE stuff.
  
  --
  Custom electronics and digital signage for your business: www.evcircuits.com
3. Re:In other news. by lord+merlin · 2016-04-20 14:33 · Score: 1
  
  Notepad you say? Open that 8tb backup image in notepad some time. go on, i'll wait. and wait. and wait. ....
MariaDB by darkain · 2016-04-20 09:07 · Score: 2

Good thing I already installed the patch for Oracle MySQL, it is called MariaDB!