Oracle’s Critical Patch Update (CPU) for April 2018 contains 254 new security fixes, 153 of which address vulnerabilities in business-critical applications.
A total of 19 products received security updates in this CPU, including E-Business Suite, Fusion Middleware, Financial Services Applications, Java SE, MySQL, PeopleSoft, Retail Applications, and Sun Systems Products Suite. Nearly half of the bugs are remotely exploitable.
Forty-two of the security holes addressed this month were assessed with a Critical severity rating, with the most severe of them featuring a CVSS score of 9.8. Affected products include Fusion Middleware, Financial Services, PeopleSoft, EBS, and Retail Applications.
Fusion Middleware received 39 patches, the largest number an Oracle product received this month. Thirty of the vulnerabilities may be remotely exploitable without authentication, the software giant explains in its advisory.
Next in line comes Financial Services Applications, with 36 vulnerabilities patched (18 of which may be remotely exploitable without authentication), followed by MySQL at 33 flaws (2 remotely exploitable) and Retail Applications at 31 bugs (27 remotely exploitable).
Oracle also released patches for Java SE (14 vulnerabilities – 12 remotely exploitable without authentication), Sun Systems Products Suite (14 issues – 3 remotely exploitable), Hospitality Applications (13 – 4), Virtualization (13 – 3), E-Business Suite (12 – 11), PeopleSoft (12 – 8), and Enterprise Manager Products Suite (10 – 8).
Other affected products include Communications Applications (9 vulnerabilities, 6 of which may be exploited remotely) Supply Chain Products Suite (5 – 3), Construction and Engineering Suite (4 – 2), JD Edwards Products (3 – 3), Siebel CRM (2 – 1), Database Server ( 2 – 0), Support Tools (1 – 0), and Utilities Applications (1 – 1).
Overall, 153 of the patches Oracle released this month target vulnerabilities affecting crucial business applications: PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, and Supply Chain.
Around 69% of the issues may be exploited remotely without entering credentials, ERPScan, which specializes in securing Oracle and SAP applications, notes. The firm also points out that Oracle has 110,000 application customers from various industries, which “makes it of the utmost importance to apply the released security patches.”
One of the most critical vulnerabilities addressed this month is CVE-2018-7489, which features a CVSS Base Score of 9.8. The issue allows an unauthenticated attacker with network access to take over the vulnerable component.
The vulnerability impacts multiple components of Oracle Financial Services Applications including Risk Measurement and Management, Hedge Management and IFRS Valuations, and Analytical Applications Infrastructure.
Another critical issue resolved in this Oracle CPU is CVE-2018-2628 (CVSS Base Score: 9.8), which impacts the WebLogic Server component of Fusion Middleware and can be exploited by an attacker with network access via the T3 transport protocol.
Other critical issues include CVE-2017-5645 (CVSS Base Score: 9.8), impacting the JD Edwards World Security component of JD Edwards Products, and CVE-2017-5645 (CVSS Base Score: 9.8), impacting the Retail Order Management System component of Retail Applications. Attackers successfully exploiting the bugs could gain full control over the impacted components.