author photo
By Bruce Sussman
Wed | Apr 17, 2019 | 2:11 PM PDT

If you're a big Oracle customer, this week's Patch Tuesday could stretch well into the week.

That's because Oracle released its Critical Patch Update for April 2019, which addresses 297 security vulnerabilities across multiple products.

This far surpasses the 80 patches Adobe announced at once on a Patch Tuesday.

Oracle patches across industry verticals

The Oracle announcement provides patches for a head-spinning number of industries that illustrates how significantly its technology is deployed.

Oracle's Agile Recipe Management for Pharmaceuticals? Yes, there's a patch for that supply chain product.

The company's Financial Services Data Integration Hub? Yes, there's a patch for that banking industry product.

The Oracle Retail Workforce Management Software? Yes, there's a patch for this retail industry product.

And hundreds of additional patches that power products in hospitality, construction, virtualization, databases, and and more.

Here is the complete list of April 2019 Oracle patches.

Oracle warns customers: make sure you are patching

At the top of the company's April 2019 patch advisory, Oracle wrote the following warning to its clients about good patch hygiene:

Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.

Patching is a failed security paradigm

The Oracle warning points out a major weakness in the practice of patching as the right way to go about security. Many organizations will not patch known vulnerabilities, for a variety of reasons.

But what if those patches are never issued in the first place?

That's one of the reasons Bruce Schneier tells us patching is a failure and it is going to get worse. We interviewed Schneier at SecureWorld Boston:


If you're a Bruce Schneier fan, like so many in InfoSec, be sure to watch our complete interview with him: Schneier on the State of Cybersecurity.