Oracle has released a whopping 248 security updates across a range of products as part of the firm’s quarterly patch release cycle.
The record-breaking Oracle Critical Patch Update – January 2016 provides fixes for E-business suite, Java SE and Database Server, and includes a number of critical updates to reduce the risk of attack.
Sixty-nine of the 78 security updates for E-business suite fix vulnerabilities that could be “remotely exploitable without authentication”, according to the advisory.
Other products affected by the updates include GoldenGate, WebLogic, PeopleSoft Enterprise, Retail applications suite and Fusion applications.
Oracle recommends that companies update systems immediately. “Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” the company said in the advisory.
“In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply critical patch update fixes without delay.”
Wolfgang Kandek, chief technical officer at security firm Qualys, warned that it is more important than ever for organisations to be aware of the applications they run and to keep all software up to date.
“A complete inventory of your servers and installed software comes in handy to augment a manual application registry that many companies have made mandatory already,” he said.
“Scanning all of your machines will find applications that you were not aware of, plus versions of programs that are outdated and potentially even end-of-life.
“You will have to read carefully through the update and compare with your application inventory to see if you are affected.”
Oracle credited a long list of security researchers for contributing to the patch release, including experts at Google, the McAfee Database Security Research Team, HP’s Zero Day Initiative and ERPScan.