Analyzing Oracle Security – Critical Patch Update for April 2018

Today Oracle has released its quarterly patch update. Oracle warns that if customers fail to apply available patches, attackers become successful in their attempts to maliciously exploit vulnerabilities.

April’s CPU fixes a total of 254 security vulnerabilities.

The main highlights are listed below.

  • April’s CPU contains 153 vulnerabilities in business-critical applications. It’s 60% of vulnerabilities found in Oracle products.
  • The most vulnerable application is Oracle Fusion Middleware totaling 39. The criticality of issues is also alarming as 30 of them can be exploited over the network without entering user credentials.
  • This CPU contains 42 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most severe vulnerabilities of the current CPU with CVSS score of 9.8 are in multiple Oracle’s products including Fusion Middleware, Financial Services, PeopleSoft, EBS, Retail Applications, etc.
  • Business applications with the stored critical information remain vulnerable to cyberattacks, and ERPScan being intended to make the processes of penetration testing and vulnerability assessment easier, finally released the free Pentesting Tool for Oracle E-Business Suite.

Analysis of Oracle Critical Patch Update – April 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

The patch update contains slightly more security fixes than the previous CPU for January 2018 (see a bar chart).

Fig.1 Number of Oracle’s patches by quarters

The patch updates touch a wide range of products. The affected product families are listed in a table by the number of closed issues in descending order.

Product Family Number of patches
Fusion Middleware39
Financial Services Applications36
Retail Applications31
Java SE14
Sun Systems Products Suite 14
Hospitality Applications13
E-Business Suite 12
Enterprise Manager Products Suite10
Communications Applications9
Supply Chain Products Suite5
Construction and Engineering Suite4
JD Edwards Products3
Siebel CRM2
Database Server2
Support Tools1
Utilities Applications1
Fig.2 Oracle vulnerabilities by application type for April 2018

As seen from the table and illustrated in the pie chart above, Oracle Fusion Middleware that is the cloud platform for digital business leads by the number of the closed issues. The vulnerabilities in Financial Services applications keep raising and their number is ranked second in April’s CPU.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 153 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain.

About 69% of them can be exploited remotely without entering credentials.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 12 fixes for Oracle EBS. The highest CVSS score is 9.1.

When exploring Oracle E-Business Suite security, ERPScan team noticed that there are not convenient and free tools that can make security assessments simpler. Consequently, the researchers developed the first free Oracle E-Business Suite security scanner – ERPScan EBS Pentesting tool.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 12 fixes for Oracle PeopleSoft with the highest CVSS score of 8.8.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, one critical vulnerability (but 6 reports) for Security-In-Depth Contributors discovered by ERPScan researchers were closed.

The details of the identified issue are provided below.

    Stored XSS in HRMS (APPLICANT FILE ATTACHMENTS) – CVSS base score 5.4, CVE-2018-2752. An attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.

    The most critical Oracle vulnerabilities closed by CPU April 2018

    Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This help Oracle customers fix the most critical issues primarily.

    The most critical issues closed by the CPU are as follows: