Analyzing Oracle Security – Oracle Critical Patch Update January 2017
Today Oracle has released its quarterly patch update for January 2017. It fixes a total of 270 vulnerabilities.
The highlights are as follows:
- The average number of security issues released every quarter keeps growing and exceeds 200.
- The focus has shifted from Database and Java SE to critical business applications, as we predicted within the last 2 years. This quarter, more than 100 patches address vulnerabilities in Oracle E-Business Suite (Oracle’s main business software developed), and 97% of them may be remotely exploitable without authentication.
- The patch update also contains 16 vulnerabilities assessed critical (CVSS base score 9.0-10.0), including 1 rated 10.0.
This quarter’s CPU contains slightly more security patches than the previous CPU for October 2016 (253)
Of note, there is a continuing trend of growing volume of Oracle’s CPU – the average number of fixes for 2015 was 153 and for 2016 – 227. For the first time, the number of the patches exceeded a 200-mark in January 2015. Nowadays, over 200-patch volume seems to have become the new normal.
Oracle Critical Patch Update Analysis
Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.
Oracle vulnerabilities by Application type
The affected product families are as follows (listed by the number of closed issues in descending order):
|Product family||Number of patches|
|Oracle E-Business Suite||121|
|Oracle Financial Services||37|
|Oracle Fusion Middleware||18|
|Oracle Java SE||17|
|Oracle Enterprise Manager Grid Control||8|
|Oracle Retail Applications||8|
|Oracle Database Server||5|
|Oracle Communications Applications||4|
|Oracle Primavera Products Suite||4|
|Oracle Sun Systems Products Suite||4|
|Oracle Siebel CRM||3|
|Oracle Secure Backup||2|
|Oracle Big Data Graph||1|
|Oracle Supply Chain Products Suite||1|
|Oracle JD Edwards||1|
Vulnerabilities in Oracle business-critical applications
This quarter’s CPU contains numerous patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 58% (158) of all of the patch updates close vulnerabilities in the aforementioned products, and most of them can be exploited remotely without authentication.
Oracle E-Business Suite Security
Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This critical patch update contains 121 fixes for Oracle EBS, which is a record-breaking number of fixes for a single Oracle system. 118 of them are remotely exploitable. The highest CVSS score is 9.1.
Nonetheless, we can not say that Oracle EBS is the most vulnerable product among solution portfolio. We can assume that Oracle EBS attracted third-party researchers attention, which resulted in the huge number of the vulnerabilities. For example, the surge of interest to SAP solutions in 2010 led to the skyrocketing number of the identified security issues (834 in 2010 vs. 131 in 2009). So, as a rule of thumb, when security researchers focus on an application, they will find security issues for sure.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 7 fixes for Oracle PeopleSoft with the highest CVSS score of 9.8.
Oracle vulnerabilities identified by ERPScan Research team
This quarter, 2 critical vulnerabilities discovered by ERPScan researchers were closed.
- XSS in Oracle PeopleSoft. An attacker can use a special HTTP request to hijack session data of administrators or users. Technical details
- DoS in Oracle OpenJDK. OpenJDK is an open-source implementation of the Java Platform, Standard Edition. The OpenJDK project is used by third-party developers, meaning that their custom application may include vulnerable code and be suspicious to the DoS vulnerability. Technical details.
The most critical Oracle vulnerabilities closed by CPU January 2017
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.