Oracle on Tuesday released its Critical Patch Update (CPU) for October 2017 to address a total of 252 security vulnerabilities across multiple product families. More than half of the bugs may be remotely exploitable without authentication.
The most affected Oracle products this month include Fusion Middleware (40 vulnerabilities, 26 remotely exploitable without authentication), Hospitality Applications (37 flaws, 13 remotely exploitable), E-Business Suite (26 – 25), MySQL (25 – 6), PeopleSoft Products (23 – 13), Communications Applications (23 – 18), and Java SE (22 – 20).
Of the 252 vulnerabilities addressed in this CPU, 182, or 72% of the total, directly affect business-critical applications. Impacted products also include Sun Systems Products Suite (10 vulnerabilities), Retail Applications (9), Siebel CRM (8), Supply Chain Products Suite (7), Virtualization (6), Database Server (6), Hyperion (4), JD Edwards Products (2), Financial Services Applications (2), Health Sciences Applications (1), Construction and Engineering Suite (1), and Enterprise Manager Grid Control (1).
The most critical vulnerabilities addressed this month affect Hospitality Reporting and Analytics, Siebel Apps, and Hospitality Cruise AffairWhere and feature CVSS Base Scores of 10.0 or 9.9. By exploiting these issues, an attacker could either take over the application or hang or frequently crash (complete denial of service) the application.
Of the 26 issues patched in Oracle E-Business Suite, 21 were assessed as High risk, 2 as Low, and three received no severity rating. 15 of the vulnerabilities were found by Onapsis, a company that specializes in security Oracle and SAP products, and three of them were unauthenticated SQL injection bugs.
Affecting Oracle EBS versions 12.1 and 12.2, the flaws could be abused over a network without any username and password credentials. By exploiting the vulnerabilities, an attacker could potentially gain access to and modify critical documents and information, including credit card data, customer information, HR documents, and financial records, Onapsis notes.
9 other flaws were discovered by ERPscan, a company also focused on Oracle and SAP applications, all of them Cross Site Scripting (XSS) bugs and all of them with a CVSS base score of 8.2. By exploiting these vulnerabilities, an attacker could steal cookies or perform “session riding” attacks.
“The message from Oracle to their customers was loud and clear: you need to make cybersecurity a top priority. Organizations still need to remain focused on applying patches at the business-critical application layer. This is a complex process and sometimes falls through cracks between IT, application and security teams,” said Mariano Nunez, CEO, Onapsis.
Oracle EBS is one of the most critical applications used by large organizations in enterprise resource planning (ERP), customer relationship management (CRM), supply chain management (SCM), finance management, human capital management, procurement and many others.
Last month, Oracle released patches to address vulnerabilities in the Apache Struts 2 framework, including CVE-2017-9805, a flaw actively exploited by attackers. Some of the affected Oracle products included MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.