2 min

Oracle advises its customers to install its April critical patch update. The company closed 297 vulnerabilities in the Database Server, Fusion Middleware, Enterprise Manager, E-Business Suite, PeopleSoft and Siebel CRM. There are also security solutions for Java SE, Virtualization, MySQL and Sun Systems.

Oracle warns that hackers are focusing their arrows on resolving vulnerabilities, hoping that companies have not yet installed the patch, writes ZDNet.


In this new update, five critical vulnerabilities in JavaSE have been plugged. All these vulnerabilities can be exploited remotely, without authentication. The most important vulnerability is CVE-2019-2699 and affects Java SE: 8h202. The vulnerability affects Java deployments, such as clients running in a sandbox in Java Web Start-apps or Java applets running code from the Internet. The vulnerability can be exploited via a web server that sends data to the APIs.

There are also solutions for 53 vulnerabilities that affect Oracle Fusion Middleware. 42 of these can be abused remotely, without the need for user credentials. Twelve of the errors have a severity level of 9.8 out of a maximum of 10.

The update contains patches for 35 bugs in E-business, of which 33 can be executed remotely without authentication. For Communication applications, 26 errors have been resolved, 19 of which can be operated remotely without passwords. MySQL received 45 solutions, four of which can be abused remotely without authentication.

External researchers

106 of the bugs fixed in the April update were reported to Oracle by external researchers. Mateusz Jurczyk of Google Project Zero told Oracle about two of the five Java SE vulnerabilities, namely CVE-2019-2697 and CVE-2019-2698. Project Zero has now published proof-of-concept exploit code for those two errors.

Microsoft’s Vulnerability Research team reported CVE-2019-2696. That is a locally exploitable error in Oracle VM VirtualBox. That was one of the fifteen errors in the virtualisation products.

The next two critical patch updates are scheduled for July 16 and October 15.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.