Analyzing Oracle Security – Oracle Critical Patch Update January 2017

Today Oracle has released its quarterly patch update for January 2017. It fixes a total of 270 vulnerabilities.

The highlights are as follows:

  • The average number of security issues released every quarter keeps growing and exceeds 200.
  • The focus has shifted from Database and Java SE to critical business applications, as we predicted within the last 2 years. This quarter, more than 100 patches address vulnerabilities in Oracle E-Business Suite (Oracle’s main business software developed), and 97% of them may be remotely exploitable without authentication.
  • The patch update also contains 16 vulnerabilities assessed critical (CVSS base score 9.0-10.0), including 1 rated 10.0.

This quarter’s CPU contains slightly more security patches than the previous CPU for October 2016 (253)

Of note, there is a continuing trend of growing volume of Oracle’s CPU – the average number of fixes for 2015 was 153 and for 2016 – 227. For the first time, the number of the patches exceeded a 200-mark in January 2015. Nowadays, over 200-patch volume seems to have become the new normal.

Oracle Critical Patch Update Analysis

Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.

Oracle vulnerabilities by Application type

The affected product families are as follows (listed by the number of closed issues in descending order):

Product family Number of patches
Oracle E-Business Suite 121
Oracle Financial Services37
Oracle MySQL 27
Oracle Fusion Middleware 18
Oracle Java SE 17
Oracle Enterprise Manager Grid Control 8
Oracle Retail Applications 8
Oracle PeopleSoft 7
Oracle Database Server 5
Oracle Communications Applications 4
Oracle Primavera Products Suite 4
Oracle Sun Systems Products Suite 4
Oracle Virtualization 4
Oracle Siebel CRM 3
Oracle Secure Backup 2
Oracle Big Data Graph 1
Oracle Supply Chain Products Suite 1
Oracle JD Edwards 1
Oracle Commerce 1

Vulnerabilities in Oracle business-critical applications

This quarter’s CPU contains numerous patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 58% (158) of all of the patch updates close vulnerabilities in the aforementioned products, and most of them can be exploited remotely without authentication.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 121 fixes for Oracle EBS, which is a record-breaking number of fixes for a single Oracle system. 118 of them are remotely exploitable. The highest CVSS score is 9.1.

Nonetheless, we can not say that Oracle EBS is the most vulnerable product among solution portfolio. We can assume that Oracle EBS attracted third-party researchers attention, which resulted in the huge number of the vulnerabilities. For example, the surge of interest to SAP solutions in 2010 led to the skyrocketing number of the identified security issues (834 in 2010 vs. 131 in 2009). So, as a rule of thumb, when security researchers focus on an application, they will find security issues for sure.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 7 fixes for Oracle PeopleSoft with the highest CVSS score of 9.8.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 2 critical vulnerabilities discovered by ERPScan researchers were closed.

  • XSS in Oracle PeopleSoft. An attacker can use a special HTTP request to hijack session data of administrators or users. Technical details
  • DoS in Oracle OpenJDK. OpenJDK is an open-source implementation of the Java Platform, Standard Edition. The OpenJDK project is used by third-party developers, meaning that their custom application may include vulnerable code and be suspicious to the DoS vulnerability. Technical details.

The most critical Oracle vulnerabilities closed by CPU January 2017

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

  • Primavera P6 Enterprise Project Portfolio Management has CVE-2017-3324 (CVSS Base Score: 10.0) – Vulnerability in the Primavera P6 Enterprise Project Portfolio Management component of Oracle Primavera Products Suite (subcomponent: Web Access). Supported versions that are affected are 8.2, 8.3, 8.4, 15.1, 15.2, 16.1 and 16.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Primavera P6 Enterprise Project Portfolio Management accessible data as well as unauthorized access to critical data or complete access to all Primavera P6 Enterprise Project Portfolio Management accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of Primavera P6 Enterprise Project Portfolio Management.
  • Oracle WebLogic Server has CVE-2017-3248 (CVSS Base Score: 9.8) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
  • PeopleSoft Enterprise PeopleTools has CVE-2016-6303 (CVSS Base Score: 9.8) – Vulnerability in the PeopleSoft Enterprise PeopleTools component of Oracle PeopleSoft Products (subcomponent: Security). Supported versions that are affected are 8.54 and 8.55. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise PeopleTools.
  • JD Edwards EnterpriseOne Tools has CVE-2016-6303 (CVSS Base Score: 9.8) – Vulnerability in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products (subcomponent: Enterprise Infrastructure SEC). The supported version that is affected is 9.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in takeover of JD Edwards EnterpriseOne Tools.
  • Enterprise Manager Base Platform has CVE-2016-5019 (CVSS Base Score: 9.8) – Vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control (subcomponent: UI Framework). Supported versions that are affected are 12.1.0.5, 13.1 and 13.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform.
  • Securing Oracle applications

    It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

    Do you want more?

    Subscribe me to your mailing list