SBN

Analyzing Oracle Security – Critical Patch Update for April 2018

Today Oracle has released its quarterly patch update. Oracle warns that if customers fail to apply available patches, attackers become successful in their attempts to maliciously exploit vulnerabilities.

April’s CPU fixes a total of 254 security vulnerabilities.

The main highlights are listed below.

  • April’s CPU contains 153 vulnerabilities in business-critical applications. It’s 60% of vulnerabilities found in Oracle products.
  • The most vulnerable application is Oracle Fusion Middleware totaling 39. The criticality of issues is also alarming as 30 of them can be exploited over the network without entering user credentials.
  • This CPU contains 42 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most severe vulnerabilities of the current CPU with CVSS score of 9.8 are in multiple Oracle’s products including Fusion Middleware, Financial Services, PeopleSoft, EBS, Retail Applications, etc.
  • Business applications with the stored critical information remain vulnerable to cyberattacks, and ERPScan being intended to make the processes of penetration testing and vulnerability assessment easier, finally released the free Pentesting Tool for Oracle E-Business Suite.

Analysis of Oracle Critical Patch Update – April 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

The patch update contains slightly more security fixes than the previous CPU for January 2018 (see a bar chart).

Fig.1 Number of Oracle’s patches by quarters

The patch updates touch a wide range of products. The affected product families are listed in a table by the number of closed issues in descending order.

Product Family Number of patches
Fusion Middleware 39
Financial Services Applications 36
MySQL 33
Retail Applications 31
Java SE 14
Sun Systems Products Suite 14
Hospitality Applications 13
Virtualization 13
E-Business Suite 12
PeopleSoft 12
Enterprise Manager Products Suite 10
Communications Applications 9
Supply Chain Products Suite 5
Construction and Engineering Suite 4
JD Edwards Products 3
Siebel CRM 2
Database Server 2
Support Tools 1
Utilities Applications 1
Fig.2 Oracle vulnerabilities by application type for April 2018

As seen from the table and illustrated in the pie chart above, Oracle Fusion Middleware that is the cloud platform for digital business leads by the number of the closed issues. The vulnerabilities in Financial Services applications keep raising and their number is ranked second in April’s CPU.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 153 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain.

About 69% of them can be exploited remotely without entering credentials.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 12 fixes for Oracle EBS. The highest CVSS score is 9.1.

When exploring Oracle E-Business Suite security, ERPScan team noticed that there are not convenient and free tools that can make security assessments simpler. Consequently, the researchers developed the first free Oracle E-Business Suite security scanner – ERPScan EBS Pentesting tool.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 12 fixes for Oracle PeopleSoft with the highest CVSS score of 8.8.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, one critical vulnerability (but 6 reports) for Security-In-Depth Contributors discovered by ERPScan researchers were closed.

The details of the identified issue are provided below.

    Stored XSS in HRMS (APPLICANT FILE ATTACHMENTS) – CVSS base score 5.4, CVE-2018-2752. An attacker can use a special HTTP request to hijack session data of administrators or users of the web resource.

    The most critical Oracle vulnerabilities closed by CPU April 2018

    Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This help Oracle customers fix the most critical issues primarily.

    The most critical issues closed by the CPU are as follows:

    • Oracle Financial Services Market Risk Measurement and Management has CVE-2018-7489 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Financial Services Market Risk Measurement and Management component of Oracle Financial Services Applications (subcomponent: Infrastructure (jackson-databind)). The supported version that is affected is 8.0.5. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Market Risk Measurement and Management. Successful attacks of this vulnerability can result in the takeover of Oracle Financial Services Market Risk Measurement and Management.
    • Oracle Financial Services Hedge Management and IFRS Valuations has CVE-2018-7489 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Financial Services Hedge Management and IFRS Valuations component of Oracle Financial Services Applications (subcomponent: Hedge Definition, Valuation-run definition (jackson-databind)). Supported versions that are affected are 8.0.4 and 8.0.5. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Hedge Management and IFRS Valuations. Successful attacks of this vulnerability can result in the takeover of Oracle Financial Services Hedge Management and IFRS Valuations.
    • Oracle WebLogic Server has CVE-2018-2628 (CVSS Base Score: 9.8) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. The easily exploitable vulnerability allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in the takeover of Oracle WebLogic Server.
    • JD Edwards World Security has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the JD Edwards World Security component of Oracle JD Edwards Products (subcomponent: Security Vulnerability (Apache Log4j)). Supported versions that are affected are A9.2, A9.3, and A9.4. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards World Security. Successful attacks of this vulnerability can result in the takeover of JD Edwards World Security.
    • Oracle Retail Order Management System has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Retail Order Management System component of Oracle Retail Applications (subcomponent: Upgrade Install (Apache Log4j)). Supported versions that are affected are 4.0, 4.5, 4.7 and 5.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Retail Order Management System. Successful attacks of this vulnerability can result in the takeover of Oracle Retail Order Management System.
    • Securing Oracle applications

      It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

      The post Analyzing Oracle Security – Critical Patch Update for April 2018 appeared first on ERPScan.