Critical Security Patch Update: Oracle releases 245 security updates

Software manufacturer Oracle has closed numerous software vulnerabilities in its application portfolio. Attackers can exploit security gaps in Identity Manager, MySQL Server, Solaris, or WebLogic Server, among others.

Need for action

As PeopleSoft PeopleTools is already being attacked by the cyber gang ShinyHunters, the developers released an emergency security update last week to close the “critical” vulnerability (CVE-2026-35273). This allows malicious code to get onto systems and compromise them. Consequently, admins must act immediately. So far, there are no reports that attackers are exploiting any further vulnerabilities.

In an extensive list, the software manufacturer lists a total of 245 security patches. Admins should look very closely here and review the applications relevant to them. The specifically affected versions can also be found there. Oracle recommends swift installation. Additionally, admins must ensure that updates from past quarterly updates are also installed.

Insight into threats

The list of all dangers exceeds the scope of this report. Therefore, only an excerpt of particularly dangerous security vulnerabilities is provided here. This includes, for example, several “critical” vulnerabilities (e.g., CVE-2026-46933) in E-Business Suite. At these points, malicious code can compromise systems, among other things.

Several vulnerabilities (e.g., CVE-2026-46854) in Enterprise Manager are also considered “critical.” JD Edwards is also attackable via “critical” vulnerabilities. Oracle Solaris is even vulnerable via a “critical” security vulnerability (CVE-2026-46978) with a maximum CVSS score of 10 out of 10.

(des)