Analyzing Oracle Security – Oracle Critical Patch Update for October 2018

Today Oracle has released its quarterly patch update for October 2018. It fixes 301 vulnerabilities.

The main highlights are as follows:

  • Oracle closed 1119 issues in 2018 in total that is the same as in 2017.
  • CPU for October 2018 contains 162 vulnerabilities in business-critical applications.
  • The most vulnerable application is Oracle Fusion Middleware totaling 65 security issues. Their criticality is also alarming since 86% of them can be exploited over the network without entering user credentials.
  • This CPU contains 49 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most severe vulnerability of the current CPU with the highest CVSS score of 10.0 is in the Oracle GoldenGate component.

Analysis of Oracle Critical Patch Update for October 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

Comparing with the previous CPU for July 2018 that jumped over a 330-issue mark and became the largest ever, this month’s patch update addresses 10% less vulnerabilities, see a bar chart below.

Oracle fixes 1119 security issues in total in 2018. It is worth mentioning that this number rests the same as it was in 2017. The graph below illustrates the trend and the increasing number of patches released by Oracle for each year from 2013 to 2018.

Oracle vulnerabilities by application type

The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues.

Product Family Number of Patches
Fusion Middleware65
MySQL38
Retail Applications31
PeopleSoft24
Sun Systems Products Suite 19
E-Business Suite 16
Communications Applications14
Virtualization14
Java SE12
Construction and Engineering Suite10
Hospitality Applications9
Hyperion9
Database Server7
JD Edwards Products6
Supply Chain Products Suite6
Insurance Applications5
Enterprise Manager Products Suite4
Food and Beverage Applications4
Siebel CRM3
Financial Services Applications2
iLearning1
Health Sciences Applications1
Support Tools 1

As seen from the table and illustrated in a pie chart, Fusion Middleware leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 430,000 applications customers from the wide range of industries in 175 countries makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 162 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain. It’s 54% of vulnerabilities found in Oracle products this quarter.

125 of these security vulnerabilities can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate business information, depending on modules installed in an organization.

This quarter only, the vendor released 24 fixes (or 8% of the update) addressing this component, see a bar chart. 21 of them can be exploited over a network without requiring user credentials.

As seen from the graph, the number of vulnerabilities in PeopleSoft has fluctuated several times since October 2015 and raised from April to October 2018.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 16 fixes for Oracle EBS, and 14 of the vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 8.2.

The most critical Oracle vulnerabilities closed by CPU for October 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows:

  • Oracle GoldenGate has CVE-2018-2913 (CVSS Base Score: 10.0) – a vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Monitoring Manager). Supported versions that are affected are 12.1.2.1.0, 12.2.0.2.0 and 12.3.0.1.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to compromise Oracle GoldenGate. While the vulnerability exists in Oracle GoldenGate, attacks may significantly impact additional products. Successful attacks can result in the takeover of Oracle GoldenGate.
  • Java VM has CVE-2018-3259 (CVSS Base Score: 9.8) – a vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. The easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks caused by this vulnerability can result in the takeover of Java VM.
  • Oracle Big Data Discovery has CVE-2018-1275 (CVSS Base Score: 9.8) – a vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing (Spring Framework)). The supported version that is affected is 1.6.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.
  • JD Edwards EnterpriseOne Orchestrator has CVE-2018-7489 (CVSS Base Score: 9.8) – a vulnerability in the JD Edwards EnterpriseOne Orchestrator component of Oracle JD Edwards Products (subcomponent: IoT Orchestrator Security (jackson-databind)). The supported version that is affected is 9.2. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in the takeover of JD Edwards EnterpriseOne Orchestrator.
  • MySQL Enterprise Monitor has CVE-2018-11776 (CVSS Base Score: 9.8) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: General (Apache Struts 2)). Supported versions that are affected are 3.4.9.4237 and prior, 4.0.6.5281 and prior and 8.0.2.8191 and prior. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

Do you want more?

Subscribe me to your mailing list