Security Experts:

Oracle Critical Patch Update for October 2016 Fixes 253 Vulnerabilities

Oracle this week released its Critical Patch Update (CPU) for October 2016 to deliver a total of 253 new security fixes across multiple product families, nearly half of which can be exploited remotely without authentication.

Oracle products receiving the largest number of fixes this quarter include Oracle Communications Applications (36 patches), MySQL (31), Fusion Middleware (29), Financial Services Applications (24), and E-Business Suite (21). Oracle Database, Java SE, PeopleSoft, and Retail Applications received patches as well.

At 253 fixes, the October 2016 CPU is the second largest for the year, after the July CPU set a record at 276 patches. This month, Oracle resolved numerous Critical flaws in its products (over a dozen of the vulnerabilities had a CVSS base score above 9), including one vulnerability in the HTTP service of the Oracle E-Business Suite.

The Oracle E-Business Suite was the most affected mission-critical software, with 11 of the 21 resolved vulnerabilities assessed as High risk. What’s more, 14 of these flaws can be exploited remotely without authentication, meaning that an attacker could leverage them over a network without user credentials. The highest CVSS score of the 21 issues is 8.2.

According to ERPScan, a company specialized in securing SAP and Oracle software, the most important of these flaws affects the web server component of Oracle EBS. The bug, remotely exploitable, could allow an unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which could result in denial of service and unauthorized read access to data. The company also reveals that there are around 15000 Oracle HTTP servers exposed to the Internet.

Other mission-critical software that received fixes in the October CPU include Oracle PeopleSoft (11 fixes), D Edwards Security (2 fixes), and Siebel CRM Security (3 fixes). The highest CVSS base score is 8.2.

The most critical issues resolved this month include four bugs with a CVSS score of 9.8: CVE-2015-3253 – affecting the Big Data Discovery component of Fusion Middleware; CVE-2016-3551 – affecting the Web Services component of Fusion Middleware; CVE-2016-5535 – affecting the WebLogic Server component of Oracle Fusion Middleware; CVE-2015-3253 – affecting the Commerce Platform component of Oracle Commerce; and a CVSS score 9.6 flaw – CVE-2016-5582, affecting the Java SE, Java SE Embedded component of Java SE.

Oracle included a total of 7 new security fixes for Java SE in the October 2016 CPU, affecting Java 6, 7, and 8. All of these vulnerabilities could be remotely exploitable without authentication, and three of them have a CVSS score of 9.6. According to Oracle, these vulnerabilities apply to Java deployments in “clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code,” but not to server deployments that load and run only trusted code.

Commenting on the Oracle CPU for October 2016, Waratek CTO John Matthew Holt told SecurityWeek that, because almost all of the vulnerabilities resolved in Java and Java products are remotely exploitable, “any application running on the current or earlier versions of these Java products are or may be susceptible to remote attacks.”

“In particular, two of the Java Platform vulnerabilities affect the JMX (Java Management Extensions) and Networking APIs built into the Java Platform. These two APIs are present and loaded in all but the most trivial Java applications. This means business critical Java applications are operating with known-flawed APIs and should prioritized for patching as quickly as possible,” he says.

Holt also points out that Java-powered WebLogic applications are seriously impacted by the new set of security patches, especially with five different vulnerabilities in WebLogic versions 10 and 12 that can be remotely exploited over HTTP and HTTPS protocols without authentication. These remote exploits are the most worrying, given the ubiquity of HTTP/HTTPS access to Java-powered applications, he says.

“Furthermore, since these are nearly all high-CVSS vulnerabilities, a successful exploit will not only hijack the vulnerable application stack but also expose confidential application data. Customers running critical business applications on Java-powered WebLogic and GlassFish application platforms need to upgrade their application stack urgently to safeguard the security of their application and the confidentiality of their business data,” Holt continues.

However, he also points out that the October CPU is not out of the ordinary when compared to those released in the previous quarters, because high-severity vulnerabilities are identified and patched in the Java software platforms every three months.

ERPScan, on the other hand, underlines the fact that 2016 marked a record patch year for Oracle. At 253 fixes, the October CPU is the second largest compared to July’s 276 patches, while the January CPU draws near with 248 fixes.

“Oracle started this year by releasing a CPU consisting of 248 patches, which immediately made headlines as a record-breaking number of fixes. As of today, this patch update seems to be a game-changing moment. We can assume that the exceeding the two-hundred mark in terms of number of closed issues was not fortuitousness. This seems to be a trend for all sets of patches released in 2016, and only CPU for April 2016 is at odds with it,” Alexander Polyakov, CTO at ERPScan, said.

Related: Oracle's Critical Patch Update for July Contains Record Number of Fixes

Related: Oracle Critical Patch Update for April 2016 Fixes 136 Vulnerabilities

view counter