Oracle has released the first quarterly security update this year to fix 237 vulnerabilities, more than half of which affect business-critical applications.
The products impacted by the patched flaws include Java, MySQL, Oracle Database Server, Financial Services Applications, Fusion Middleware, Hospitality Applications, PeopleSoft, Supply Chain Products Suite, Sun Systems Products Suite, Retail Applications, Communications Applications, Health Sciences Applications, E-Business Suite, Hyperion, JD Edwards Products, Siebel CRM and Construction and Engineering Suite. Multiple vulnerabilities fixed in this update are critical, with severity scores of 9.0 and above on the Common Vulnerability Scoring System (CVSS) scale.
According to an analysis by security firm ERPScan, 153 vulnerabilities, or 64 percent, are located in business-critical applications and 99 of them can be exploited remotely without authentication. Oracle Financial Services Applications leads with a number of 34 fixes, followed by Fusion Middleware with 27.
The most severe flaws, with CVSS scores of 9.9 and 10.0, are located in the ZFS Storage Appliance Kit, which is part of the Oracle Sun Systems Products Suite; the Oracle WebLogic Server, a Java application server also used by other products; the Oracle Retail Convenience and Fuel POS Software; the Oracle Directory Server Enterprise Edition; and the PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil. All of these vulnerabilities can be easily exploited and can lead to a full compromise of the affected systems.
Last week, the SANS Internet Storm Center warned that attackers are using an exploit published in December for Oracle WebLogic Server to compromise systems and install Monero mining malware on them. Some of the compromised systems used the WebLogic server to run Oracle PeopleSoft applications.
On Tuesday, ERPScan released a proof-of-concept exploit for a critical vulnerability previously found by the company and dubbed JOLTandBLEED (CVE 2017-10269). The flaw allows attackers to gain access to all data stored in several Oracle PeopleSoft business applications and was patched by Oracle in November through emergency out-of-band updates. The fact that a proof-of-concept exploit is now available makes attacks more likely, so users should immediately install the latest available patches for PeopleSoft applications.
In fact, this new quarterly update fixes an additional 15 flaws in PeopleSoft, eight of which can be exploited over the network without authentication.
Other patches users should prioritize are those for the Oracle E-Business Suite, the main business software developed by Oracle. There are seven fixes available for this product, two of them for SQL injection flaws with a CVSS score of 9.1.
“As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization,” the ERPScan researchers warned.
According to researchers from Onapsis Research Labs, the two SQL injection flaws can be used to completely compromise the confidentiality, integrity and availability of Oracle EBS data.
“Regarding confidentiality, an attacker could execute an arbitrary query in the database to get information such as credit cards, customer information, supplier information, etc.,” the Onapsis researchers said in a blog post. “Affecting the integrity, an attacker could modify invoice prices in the database and, regarding availability, could be affected by removing some configuration table or executing a procedure that could cause the database corruption.”
Users are advised to install the updates as soon as possible, especially those for critical flaws in applications that are known to be targeted by attackers, such as Oracle WebLogic, PeopleSoft or E-Business Suite.