“The figure worth watching is not the 245 patches but where they land,” he noted. “Of the 245 fixes, 106 sit in Fusion Middleware and 53 of those can be reached remotely without authentication. That is not patch hygiene. That is a control-plane problem.”
The most serious flaws, however, are not those with the highest severity scores. “They are the ones that combine remote reach, absent authentication and privileged placement in layers that other systems are built to trust,” he said.
“WebLogic Server carries two such issues at the maximum severity, on a product attackers have scanned for and targeted for years,” he noted. “Oracle Coherence carries another, and Coherence is a shared component, so its risk multiplies quietly across the estate. Oracle Unified Directory can be taken over without authentication over LDAP. WebCenter sits at the public edge. Several of these flaws change scope, meaning one compromise can reach products well beyond the one first breached.”
