Connect with us

Hi, what are you looking for?



Oracle Fixes 252 Vulnerabilities in October 2017 Patch Update

Oracle on Tuesday released its Critical Patch Update (CPU) for October 2017 to address a total of 252 security vulnerabilities across multiple product families. More than half of the bugs may be remotely exploitable without authentication.

Oracle on Tuesday released its Critical Patch Update (CPU) for October 2017 to address a total of 252 security vulnerabilities across multiple product families. More than half of the bugs may be remotely exploitable without authentication.

The most affected Oracle products this month include Fusion Middleware (40 vulnerabilities, 26 remotely exploitable without authentication), Hospitality Applications (37 flaws, 13 remotely exploitable), E-Business Suite (26 – 25), MySQL (25 – 6), PeopleSoft Products (23 – 13), Communications Applications (23 – 18), and Java SE (22 – 20).

Oracle this year resolved 1119 vulnerabilities in its products, or 22% more than in 2016. That’s not surprising, given that both the April 2017 CPU and July 2017 CPU passed the 300 patches mark.

Of the 252 vulnerabilities addressed in this CPU, 182, or 72% of the total, directly affect business-critical applications. Impacted products also include Sun Systems Products Suite (10 vulnerabilities), Retail Applications (9), Siebel CRM (8), Supply Chain Products Suite (7), Virtualization (6), Database Server (6), Hyperion (4), JD Edwards Products (2), Financial Services Applications (2), Health Sciences Applications (1), Construction and Engineering Suite (1), and Enterprise Manager Grid Control (1).

The most critical vulnerabilities addressed this month affect Hospitality Reporting and Analytics, Siebel Apps, and Hospitality Cruise AffairWhere and feature CVSS Base Scores of 10.0 or 9.9. By exploiting these issues, an attacker could either take over the application or hang or frequently crash (complete denial of service) the application.

Of the 26 issues patched in Oracle E-Business Suite, 21 were assessed as High risk, 2 as Low, and three received no severity rating. 15 of the vulnerabilities were found by Onapsis, a company that specializes in security Oracle and SAP products, and three of them were unauthenticated SQL injection bugs.

Affecting Oracle EBS versions 12.1 and 12.2, the flaws could be abused over a network without any username and password credentials. By exploiting the vulnerabilities, an attacker could potentially gain access to and modify critical documents and information, including credit card data, customer information, HR documents, and financial records, Onapsis notes.

Advertisement. Scroll to continue reading.

9 other flaws were discovered by ERPscan, a company also focused on Oracle and SAP applications, all of them Cross Site Scripting (XSS) bugs and all of them with a CVSS base score of 8.2. By exploiting these vulnerabilities, an attacker could steal cookies or perform “session riding” attacks.

“The message from Oracle to their customers was loud and clear: you need to make cybersecurity a top priority. Organizations still need to remain focused on applying patches at the business-critical application layer. This is a complex process and sometimes falls through cracks between IT, application and security teams,” said Mariano Nunez, CEO, Onapsis.

Oracle EBS is one of the most critical applications used by large organizations in enterprise resource planning (ERP), customer relationship management (CRM), supply chain management (SCM), finance management, human capital management, procurement and many others.

Last month, Oracle released patches to address vulnerabilities in the Apache Struts 2 framework, including CVE-2017-9805, a flaw actively exploited by attackers. Some of the affected Oracle products included MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.

Related: Oracle Patches Record-Breaking 308 Vulnerabilities in July Update

Related: Oracle Patches Record Number of Vulnerabilities

Related: Oracle Releases Patches for Exploited Apache Struts Flaw

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.