Oracle on Tuesday released its first Critical Patch Update (CPU) for 2017. The software update addresses 270 security issues across its products, 121 of which were found in Oracle E-Business Suite.
This is the third quarter in a row with over 250 vulnerabilities being addressed by the Oracle CPU, but that’s not surprising, as the number of patches has been continuously increasing for the past few years. The first CPU with over 200 patches (248) was published in January 2016, while the July 2016 release contained a record number of fixes (276).
Of the total 270 vulnerabilities addressed this month, 158 (58%) could be exploited remotely without authentication, Oracle’s advisory reveals. Although Oracle E-Business Suite was affected the most, as 118 (97%) of the 121 flaws resolved in it could be remotely exploitable without authentication, it doesn’t mean that it is the most vulnerable Oracle product out there.
“We cannot say that Oracle EBS (E-Business Suite) is the most vulnerable product among [Oracle’s] solution portfolio. We can assume that Oracle EBS attracted third-party researcher’s attention, which resulted in the huge number of the vulnerabilities. For example, the surge of interest to SAP solutions in 2010 led to the skyrocketing number of the identified security issues (834 in 2010 vs. 131 in 2009). So, as a rule of thumb, when security researchers focus on an application, they will find security issues for sure,” ERPScan, a firm specialized in securing Oracle and SAP applications, explains.
The list of affected Oracle products also includes Financial Services (37 patches), MySQL (27), Fusion Middleware (18), Java SE (17), Enterprise Manager Grid Control (8), Retail Applications (8), PeopleSoft (7), Database Server (5), Communications Applications (4), Primavera Products Suite (4), Sun Systems Products Suite (4), Virtualization (4), Siebel CRM (3), Secure Backup (2), Big Data Graph (1), Supply Chain Products Suite (1), JD Edwards (1), and Commerce (1).
16 of the flaws addressed this quarter were assessed critical, as they featured a CVSS base score between 9.0-10.0. These affected Oracle Database Server, Secure Backup, Big Data Graph, Fusion Middleware, Enterprise Manager Grid Control, E-Business Suite, PeopleSoft Products, JD Edwards Products, Communications Applications, Java SE, and Primavera Products Suite.
The most important bug addressed by Oracle this quarter is CVE-2017-3324 (CVSS Base Score: 10.0), a Primavera P6 Enterprise Project Portfolio Management vulnerability that could be exploited by an unauthenticated attacker with network access via HTTP for creation, deletion or modification access to critical data.
Other critical issues resolved in the January 2017 CPU include a vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware – CVE-2017-3248 (CVSS Base Score: 9.8); another in PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products – CVE-2016-6303 (CVSS Base Score: 9.8); a bug in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (CVSS Base Score: 9.8); and a flaw in the in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control CVE-2016-5019 (CVSS Base Score: 9.8).
“We have been involved in Oracle Business applications research since 2008 and always paid attention to security of EBS, JDE, and PeopleSoft applications. However, they attracted attention only 2 years ago when ERPScan interns discovered multiple vulnerabilities in Oracle. This fact was widely covered by the media, which resulted in the skyrocketing number of the identified vulnerabilities in the solution. This quarter, this number reached its peak of 121 security issues (in EBS only!),” Alexander Polyakov, CTO at ERPScan, told SecurityWeek in an email.
“The situation reminds the state of SAP security several years ago. In 2009, there were a few dozens of bugs, in 2010 as SAP security was in the spotlight, the number of closed issues totaled some 800. The matter is much broader than just SAP and EBS security. There are dozens of other business applications used in different industries that are waiting for becoming a new hot topic. PeopleSoft, JD Edwards, Microsoft Dynamics are just several examples, and they have already been mentioned in the media,” Polyakov also said.
Related: Oracle Critical Patch Update for October 2016 Fixes 253 Vulnerabilities
Related: Oracle’s Critical Patch Update for July Contains Record Number of Fixes