Connect with us

Hi, what are you looking for?



Oracle Patches 270 Vulnerabilities Across Product Portfolio

Oracle on Tuesday released its first Critical Patch Update (CPU) for 2017. The software update addresses 270 security issues across its products, 121 of which were found in Oracle E-Business Suite.

Oracle on Tuesday released its first Critical Patch Update (CPU) for 2017. The software update addresses 270 security issues across its products, 121 of which were found in Oracle E-Business Suite.

This is the third quarter in a row with over 250 vulnerabilities being addressed by the Oracle CPU, but that’s not surprising, as the number of patches has been continuously increasing for the past few years. The first CPU with over 200 patches (248) was published in January 2016, while the July 2016 release contained a record number of fixes (276).

Of the total 270 vulnerabilities addressed this month, 158 (58%) could be exploited remotely without authentication, Oracle’s advisory reveals. Although Oracle E-Business Suite was affected the most, as 118 (97%) of the 121 flaws resolved in it could be remotely exploitable without authentication, it doesn’t mean that it is the most vulnerable Oracle product out there.

“We cannot say that Oracle EBS (E-Business Suite) is the most vulnerable product among [Oracle’s] solution portfolio. We can assume that Oracle EBS attracted third-party researcher’s attention, which resulted in the huge number of the vulnerabilities. For example, the surge of interest to SAP solutions in 2010 led to the skyrocketing number of the identified security issues (834 in 2010 vs. 131 in 2009). So, as a rule of thumb, when security researchers focus on an application, they will find security issues for sure,” ERPScan, a firm specialized in securing Oracle and SAP applications, explains.

The list of affected Oracle products also includes Financial Services (37 patches), MySQL (27), Fusion Middleware (18), Java SE (17), Enterprise Manager Grid Control (8), Retail Applications (8), PeopleSoft (7), Database Server (5), Communications Applications (4), Primavera Products Suite (4), Sun Systems Products Suite (4), Virtualization (4), Siebel CRM (3), Secure Backup (2), Big Data Graph (1), Supply Chain Products Suite (1), JD Edwards (1), and Commerce (1).

16 of the flaws addressed this quarter were assessed critical, as they featured a CVSS base score between 9.0-10.0. These affected Oracle Database Server, Secure Backup, Big Data Graph, Fusion Middleware, Enterprise Manager Grid Control, E-Business Suite, PeopleSoft Products, JD Edwards Products, Communications Applications, Java SE, and Primavera Products Suite.

The most important bug addressed by Oracle this quarter is CVE-2017-3324 (CVSS Base Score: 10.0), a Primavera P6 Enterprise Project Portfolio Management vulnerability that could be exploited by an unauthenticated attacker with network access via HTTP for creation, deletion or modification access to critical data.

Other critical issues resolved in the January 2017 CPU include a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware – CVE-2017-3248 (CVSS Base Score: 9.8); another in PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products – CVE-2016-6303 (CVSS Base Score: 9.8); a bug in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (CVSS Base Score: 9.8); and a flaw in the in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control CVE-2016-5019 (CVSS Base Score: 9.8).

Advertisement. Scroll to continue reading.

“We have been involved in Oracle Business applications research since 2008 and always paid attention to security of EBS, JDE, and PeopleSoft applications. However, they attracted attention only 2 years ago when ERPScan interns discovered multiple vulnerabilities in Oracle. This fact was widely covered by the media, which resulted in the skyrocketing number of the identified vulnerabilities in the solution. This quarter, this number reached its peak of 121 security issues (in EBS only!),” Alexander Polyakov, CTO at ERPScan, told SecurityWeek in an email.

“The situation reminds the state of SAP security several years ago. In 2009, there were a few dozens of bugs, in 2010 as SAP security was in the spotlight, the number of closed issues totaled some 800. The matter is much broader than just SAP and EBS security. There are dozens of other business applications used in different industries that are waiting for becoming a new hot topic. PeopleSoft, JD Edwards, Microsoft Dynamics are just several examples, and they have already been mentioned in the media,” Polyakov also said.

Related: Oracle Critical Patch Update for October 2016 Fixes 253 Vulnerabilities

Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.