Oracle on Tuesday released its July 2017 Critical Patch Update (CPU) to address a total of 308 vulnerabilities, the highest number of security fixes ever released in a quarter by the enterprise software giant.
This month’s CPU resolves security issues in 22 different Oracle products, including Oracle Database Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Industry Applications (Communications, Retail, and Hospitality), Oracle Primavera, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.
Of the total 308 vulnerabilities addressed, 27 were assessed as critical issues, with a CVSS base score between 9.0 and 10.0 (only one bug was rated 10). Over half of the vulnerabilities addressed this month can be exploited remotely without authentication.
Oracle Hospitality Applications received the largest number of security fixes, at 48 – 11 of these may be remotely exploitable without authentication. Oracle Fusion Middleware received 44 fixes (31 remotely exploitable without authentication), including one that addressed a critical vulnerability (CVE-2017-10137 – CVSS score 10.0) in Oracle WebLogic Server.
Oracle also resolved large numbers of vulnerabilities in Oracle Java SE (32 – 28 remotely exploitable without authentication), Oracle PeopleSoft Products (30 – 20 remotely exploitable), Oracle MySQL (30 – 9 remotely exploitable), Oracle E-Business Suite (22 – 18 remotely exploitable), and Oracle Financial Services Applications (20 – 4 remotely exploitable).
The record-breaking number of 30 flaws addressed in PeopleSoft is worrying, especially since 20 of the bugs can be exploited over the network without user credentials, ERPScan, a firm that specializes in security SAP and Oracle software, notes.
“Oracle PeopleSoft combines Supplier Relationship Management, Human Capital Management, Supply Chain Management, and other applications. The software has 6000+ enterprise customers and serves 20 million end users worldwide including more than 800 universities. Over 1000 PeopleSoft systems are available on the Internet putting organizations at risk. According to the latest survey from Crowd Research partners, 89% of responders agreed that the number cyber-attacks on ERP will significantly grow in the near future. SAP Attacks may cost up to $50 million, PeopleSoft is definitely the same weight category,” Alexander Polyakov, CTO at ERPScan, told SecurityWeek in an emailed statement.
82 of the vulnerabilities addressed in this quarter’s CPU affect a scope of crucial business applications from Oracle, such as Oracle PeopleSoft, E-Business Suite, Siebel CRM, Oracle Financial Services, and Oracle Primavera Products Suite. Around 53% of these bugs can be exploited remotely without authentication.
One of the most important vulnerabilities in E-Business Suite (CVE-2017-10244) is an Information Disclosure issue that could allow an attacker “to exfiltrate sensitive business data without requiring a valid user account in the system,” Onapsis, the company that discovered the issue, reveals. The flaw affects all supported Oracle E-Business Suite versions: 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6.
“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” Juan Perez-Etchegoyen, Onapsis CTO, said.
Other Oracle E-Business Suite flaws addressed this month include a path traversal vulnerability (CVE-2017-10192), multiple vulnerabilities that allow path traversal attacks (grouped in CVSs CVE-2017-10184 and CVE-2017-10186), two Denial of Service vulnerabilities (CVE-2017-10108 and CVE-2017-10109), a Multiple Cross Site Scripting vulnerability (CVE-2017-10180), two Cross Site Scripting vulnerabilities (CVE-2017-10185 and CVE-2017-10191) and an Information disclosure vulnerability (CVE-2017-10245).
“There are different vulnerabilities which could be used by an attacker to compromise the system and get business critical information. It is crucial to update Oracle E-Business Suite with the last patch to fix all of these vulnerabilities and have the system up to date,” Onapsis says.
The most critical issues resolved in the Oracle July 2017 CPU affect Oracle WebLogic Server component of Oracle Fusion Middleware (CVE-2017-10137 – CVSS score 10.0), the OJVM component of Oracle Database Server (CVE-2017-10202 – CVSS score 9.9), the Oracle Communications BRM component of Oracle Communications Applications (CVE-2015-3253 – CVSS score 9.8), the MICROS PC Workstation 2015 component of Oracle Hospitality Applications (CVE-2017-5689 – CVSS score 9.8), and the MySQL Enterprise Monitor component of Oracle MySQL (CVE-2016-4436 – CVSS score 9.8).
Each quarter starting last year, Oracle has been patching an increasing number of vulnerabilities in its products. After the January 2016 CPU broke the 200 security patches barrier, the April 2017 one hit the 300 mark, and this month’s set of patches sets a new record.
As more and more security researchers focus on finding vulnerabilities in business software, the number of addressed issues is expected to increase. This should result in improved overall security for Oracle software, but only as long as patches are installed in a timely manner, which is a difficult and monotonous task, as ERPScan points out.
Related: Oracle Patches Record Number of Vulnerabilities
Related: Oracle Patches 270 Vulnerabilities Across Product Portfolio