Analyzing Oracle Security – Oracle Critical Patch Update January 2018

Today Oracle has released its quarterly patch update for January 2018. It fixes a total of 237 vulnerabilities.

The main highlights are as follows:

  • The current CPU contains 153 vulnerabilities in Business-Critical Applications. It is 64% of the vulnerabilities found in other Oracle products.
  • The highest CVSS 3.0 Base Score for vulnerabilities in Business Applications in this Critical Patch Update is 9.8 found in Fusion Middleware, PeopleSoft and Retail Applications (the overall highest CVSS score of 10.0 is in Sun ZFS Storage Appliance Kit ).
  • The most vulnerable application is Oracle Financials totaling 34. However, not only the number but the criticality of issues is alarming. 13 of them can be exploited over the network without entering user credentials. The most critical vulnerability with CVSS 8.8.

Analysis of Oracle Critical Patch Update – January 2018

With this blog post, ERPScan Research and Security Intelligence teams provide an analysis of the most severe vulnerabilities closed by this Critical Patch Update.

This critical patch update contains slightly fewer security fixes than the previous CPU for October 2017 (see a bar chart below). A downward trend continues this month after a record-breaking 308-issue mark in CPU for July 2017.

However, an average number of patches keeps growing over years: an average number of fixes for 2015 was 153, for 2016 – 227, and for 2017 – 279.

Oracle vulnerabilities by application type

The patch updates deal with a wide range of products. The affected product families are listed below in a table by the number of closed issues in descending order.

Product Family Number of Patches
Financial Services Applications 34
Fusion Middleware27
MySQL25
Java SE 21
Hospitality Applications 21
PeopleSoft15
Supply Chain Products Suite14
Virtualization14
Sun Systems Products Suite 13
Retail Applications11
Communications Applications10
Health Sciences Applications7
E-Business Suite 7
Database Server5
Hyperion 4
Support Tools3
JD Edwards Products2
Siebel CRM2
Construction and Engineering Suite 1
Java Micro Edition 1

Oracle vulnerabilities by app type

As indicated by the pie chart, Financial Services Applications leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter, Oracle CPU contains about 153 patches (64%) for vulnerabilities affecting a scope of the business applications, namely, PeopleSoft, E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Supply Chain Products Suite, Retail Applications, Communications Applications, Health Sciences Applications, Database Server, JD Edwards Products, etc. 99 (almost 65%) of them can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business-critical information, depending on modules that are installed in an organization.

Between this and the previous CPUs, Oracle urgently closed severe issues including a vulnerability dubbed JoltandBleed (CVE 2017-10269). As you remember, this vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:

  • Oracle PeopleSoft Campus Solutions
  • Oracle PeopleSoft Human Capital Management
  • Oracle PeopleSoft Financial Management
  • Oracle PeopleSoft Supply Chain Management, etc.

This quarter, the vendor released 15 fixes addressing the component. 8 of these security loopholes can be exploited over the network without requiring user credentials.

The highest CVSS score is 9.8.

In July 2017, Oracle patches grew dramatically and peaked at 30, and then slid slowly but steadily in the next two quarters.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization.

This critical patch update contains 7 fixes for Oracle EBS. 4 of these security loopholes can be exploited over the network without requiring user credentials. The highest CVSS score is 9.1.

Since January 2017, the Oracle EBS fixes fell considerably, reaching a low of 11 in April 2017 and ended the last quarter of the passed year at 26. The patch update for January 2018 contains 7 Oracle EBS fixes like in April 2016.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 1 critical vulnerabilities discovered by ERPScan researchers were closed.

The details are provided below:

  • Disclose PIA user and FQDN PeopleSoft server name (PSIGW/PeopleSoftListeningConnector) (CVSS base score 6.5, CVE-2018-2605). With disclosure in PSIGW/PeopleSoftListeningConnector attackers can get PIA user and FQDN PeopleSoft server name.

The most critical Oracle vulnerabilities closed by CPU January 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

  • Sun ZFS Storage Appliance Kit (AK) has CVE-2018-2611 (CVSS Base Score: 10.0) – Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Services). The supported version that is affected is Prior to 8.7.13. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance Kit (AK). While the vulnerability is in Sun ZFS Storage Appliance Kit (AK), attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Sun ZFS Storage Appliance Kit (AK).
  • Oracle WebLogic Server has CVE-2017-10352 (CVSS Base Score: 10.0) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data.
  • Oracle Retail Convenience and Fuel POS Software has CVE-2017-5645 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Retail Convenience and Fuel POS Software component of Oracle Retail Applications (subcomponent: OPT Server (Apache Log4j)). The supported version that is affected is 2.1.132. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Convenience and Fuel POS Software. Successful attacks of this vulnerability can result in takeover of Oracle Retail Convenience and Fuel POS Software.
  • Oracle Directory Server Enterprise Edition has CVE-2017-5461 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Directory Server Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Admin Console (Sun Security Libraries)). The supported version that is affected is 11.1.1.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Directory Server Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition.
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil has CVE-2017-5645 (CVSS Base Score: 9.9) – Vulnerability in the PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil component of Oracle PeopleSoft Products (subcomponent: Supply Chain Portal Pack (Apache Log4j)). The supported version that is affected is 9.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil.
  • Securing Oracle applications

    It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

    The post Analyzing Oracle Security – Oracle Critical Patch Update January 2018 appeared first on ERPScan.



    This is a Security Bloggers Network syndicated blog post authored by Research Team. Read the original post at: Blog – ERPScan