Oracle has released a second critical update, a security patch for 2019 that arrived in April. The company has fixed up to 297 problems in its software, and they seriously affect security. Specifically, a patch for these 17 vulnerabilities has been released on April 297, 53 of which have a CVSS (Common Vulnerabilities Scoring System) of 9.0 or higher, which denotes how critical they are. Not all vulnerabilities are recent, which is even worse.
It turns out that there are some who have been with us for more than 3 years. Those years in which in a java library it has been totally vulnerable at the expense of attackers without the problem being known. This is nothing new, dealing with old and new vulnerabilities is something that Oracle security experts have to deal with to prevent them from being discovered earlier by cybercriminals and using exploits against them.
The vulnerability that has been with us for those almost 4 years is the one registered in CVE with the code CVE-2016-1000031 of Java found in the Apache Commons FileUpload library used in multiple Oracle applications. The vulnerability existed in the DiskFileItem component and can be manipulated to be able to write and copy files to the disk arbitrarily. Remote attackers could exploit this vulnerability and take complete control of the affected system.
Certainly not very good news for Oracle in the sense of work done previously with their portfolio software, although they have now fixed these issues with these patches and everyone affected should rush to update systems. But we do not like to know this type of news, since Oracle products support a lot of responsibility and important systems, and it would not be fortunate if it became something similar to what happened with Adobe and Flash, given the number of vulnerabilities found and how critical that are some ...