Analyzing Oracle Security – Oracle Critical Patch Update for January 2019

Today Oracle has released its quarterly patch update for January 2019. It fixes a total of 284 vulnerabilities.

The main highlights are as follows:

  • The current CPU contains 178 vulnerabilities in business-critical applications – 63% of the vulnerabilities found in Oracle products in January 2019.
  • 28 vulnerabilities addressing business applications (including Financial Services Applications, JD Edwards Products, Retail Applications, etc.) received the CVSS 3.0 Base Score of 9.8 (out of out of 10.0), which is the highest of this CPU.
  • The most vulnerable application is Oracle Fusion Middleware totaling 62. Most of them (57) can be exploited over the network without entering user credentials. The most critical Fusion Middleware vulnerability has the Base Score of 9.8.

Analysis of Oracle Critical Patch Update – January 2019

With this blog post, ERPScan Research and Security Intelligence teams provide an analysis of the most severe vulnerabilities closed by Critical Patch Update for January 2019.

This set of critical patch updates contains slightly less security issues than the previous CPU for October 2018 (see a bar chart below).

A downward trend continues this month after a record breaking 334-issue mark in CPU for July 2018.

Oracle vulnerabilities by application type

The patch updates deal with a wide range of products. The affected product families are listed below in a table by the number of closed issues in descending order.

Product Family Number of Patches
Fusion Middleware62
Communications Applications33
MySQL30
Virtualization30
PeopleSoft20
E-Business Suite 16
Retail Applications16
Enterprise Manager Products Suite11
Sun Systems Products Suite 11
Financial Services Applications9
Food and Beverage6
Health Sciences Applications6
Java SE 5
Supply Chain Products Suite5
Insurance Applications5
Hospitality Applications 5
Construction and Engineering Suite 4
Database Server3
JD Edwards Products2
Utilities Applications2
Hyperion 1
Siebel CRM1
Support Tools1

As indicated by the table and the pie chart, Fusion Middleware leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 430,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter, Oracle CPU contains 178 patches (63%) for vulnerabilities affecting a scope of the business applications, namely, PeopleSoft, E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Supply Chain Products Suite, Retail Applications, Communications Applications, Health Sciences Applications, Database Server, JD Edwards Products, and others. 150 of the vulnerabilities can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business-critical information, depending on modules that are installed in an organization.

This quarter, the vendor released 20 fixes addressing the component. 15 of these security loopholes can be exploited over the network without requiring user credentials.

The highest CVSS score is 8.8.

In July 2017, Oracle patches grew dramatically and peaked at 30, and then slid slowly but steadily in the next three quarters. For now, fixes have decreased since October 2018.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization.

This critical patch update contains 16 fixes for Oracle EBS. All of these security issues can be exploited over the network without requiring user credentials. The highest CVSS score is 9.1.

The Oracle EBS fixes have increased insignificantly and then remained steady since January 2018, reaching a low of 7 and ended the last quarter of the past year at 16. The patch update for January 2019 has 16 Oracle EBS fixes like in October 2018.

The most critical Oracle vulnerabilities closed by CPU January 2019

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability and a potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims at helping Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows:

  • Oracle Banking Platform has CVE-2016-4000 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Banking Platform component of Oracle Financial Services Applications (subcomponent: Patching (Jython)). Supported versions that are affected are 2.6.0, 2.6.1, and 2.6.2. The easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Banking Platform. Successful attacks of this vulnerability can result in the takeover of Oracle Banking Platform.
  • Oracle Retail Central Office has CVE-2016-1000031 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Retail Central Office component of Oracle Retail Applications (subcomponent: Security (Apache Commons FileUpload)). Supported versions that are affected are 13.3, 13.4, 14.0, and 14.1. The easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Central Office. Successful attacks of this vulnerability can result in the takeover of Oracle Retail Central Office.
  • Tape Library ACSLS has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the Tape Library ACSLS component of Oracle Sun Systems Products Suite (subcomponent: Software (Apache Log4j)). The supported version that is affected is 8.4. The easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Tape Library ACSLS. Successful attacks of this vulnerability can result in the takeover of Tape Library ACSLS.
  • Oracle Agile PLM has CVE-2015-8965 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Agile PLM component of Oracle Supply Chain Products Suite (subcomponent: Gantt Chart (JViews)). Supported versions that are affected are 9.3.3, 9.3.4, 9.3.5, and 9.3.6. The easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Agile PLM. Successful attacks of this vulnerability can result in the takeover of Oracle Agile PLM.
  • Oracle Communications Online Mediation Controller has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Communications Online Mediation Controller component of Oracle Communications Applications (subcomponent: Security (Apache Log4j)). The supported version that is affected is 6.1. The easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications Online Mediation Controller. Successful attacks of this vulnerability can result in the takeover of Oracle Communications Online Mediation Controller.
  • Securing Oracle applications

    It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

Do you want more?

Subscribe me to your mailing list