By security practitioners, for security practitioners innovate | novacoast federal | novaSOC | novacoast
By security practitioners, for security practitioners

Oracle releases October Critical Patch Update for all product lines

Urgent action is required to apply the critical patch updates, as Oracle products are everywhere and threat actors actively target unpatched Oracle networks in the wake of such announcements.

Background

Oracle released its October Critical Patch Update yesterday, addressing 419 security vulnerabilities across the entire Oracle product line.

Due to the severity of the vulnerabilities patched and the ubiquity of Oracle products, CISA has released an advisory to further encourage expedient patching of Oracle environments.
 
Oracle has reported a spike in customer compromise after Critical Patch Update cycles because threat actors actively target the newly announced and documented unpatched Oracle environments.

Critical patch details

Oracle releases its security patches on a quarterly basis, seldom releasing security updates outside this window. Since this is done once per quarter along the entire line of Oracle products, they often contain a multitude of critical and high rated vulnerabilities.
 
Oracle’s Quarterly Critical Patch Update Cycle releases on the Tuesday closest to the 17th day of January, April, July and October. The next 4 are scheduled for 18 January 2022, 19 April 2022, 19 July 2022 and 18 October, 2022.

Oracle products are ubiquitous across corporate environments. Since Oracle MySQL database and Oracle Java SE platforms are included (as well as common tools like Middleware and PeopleSoft), it is likely you have impacted Oracle tools in your environment.

Mitigations

It’s highly recommended to apply the patches if possible.
 
Consult the official Oracle advisory for additional details.

Resources

Official Oracle Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

CISA Advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/10/19/oracle-releases-october-2021-critical-patch-update

Oracle Critical Patch Updates Page
https://www.oracle.com/security-alerts/

Previous Post

MITRE ATT&CK 101

Next Post

Microsoft 365: Data-Centric Security in a Zero Trust World