April 2018 Oracle Critical Patch Update: Oracle patches 254 vulnerabilities, 176 specific to Financials

Onapsis helps secure 92% of E-Business Suite vulnerabilities

Oracle just released its April 2018 Critical Patch update containing 254 new vulnerabilities that they have released patches for. At Onapsis, it is our goal to help customers and vendors secure Business-critical application by analyzing these applications for security weaknesses and working with the teams to help secure them. From  this most recent Critical Patch Update (CPU) 176 of  the 254 vulnerabilities affect Business-critical applications, this numbers represent a 69% of the total vulnerabilities.

Oracle uses CVSS version three to measure the impact of each vulnerability with 10 being the most critical. In this CPU the highest score is 9.8 and 35 patches have this score. This represents a critical risk for all the companies that run the products containing these vulnerabilities in landscapes.

The Business-critical applications which have 9.8 CVSS score are:

  1. Communications Applications
  2. Financial Services
  3. Fusion Middleware
  4. JD Edwards
  5. Retail Applications
  6. Utilities Applications.

If not patched, this could lead to a full compromise of the CIA triad: Confidentiality, integrity and Availability.

The CVSS also measures the complexity of attack and network accesses. Regarding this, from the total of 176 Business Critical Application vulnerabilities 114 are remotely exploitable. A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker’s path is through OSI layer 3 (the network layer). Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers)1.

The following graph shows the vulnerabilities number and percentage patched by Oracle for each Business Critical Application.

  1. https://www.first.org/cvss/specification-document


Vulnerabilities reported by Onapsis Research Lab

In this Critical Patch Update Oracle fixed 12 vulnerabilities for Oracle E-Business Suite and 11 of these were reported by the Onapsis Research Lab. The vulnerabilities are nine information disclosure and two SQL injections.

The information disclosure vulnerabilities affect the confidentiality of Oracle EBS systems and the SQL injection affects the Confidentiality, Availability and Integrity of Oracle EBS systems. The following list are all the vulnerabilities fixed by Oracle and reported by Onapsis Research Lab:

  1. CVE-2018-2864: Information Disclosure in OBJNAVSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  2. CVE-2018-2865: Information Disclosure in GLLOOKUPSVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  3. CVE-2018-2866: Information Disclosure in ACCOUNTTYPESLOVVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  4. CVE-2018-2867: Information Disclosure in FUNCTIONSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  5. CVE-2018-2868: Information Disclosure in ORGSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  6. CVE-2018-2869: Information Disclosure in POSSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  7. CVE-2018-2870: SQL Injection in ORGSERVER which affects directly the confidentiality, integrity and availability. CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
  8. CVE-2018-2871: SQL Injection in POSSERVER which affects directly the confidentiality, integrity and availability. CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
  9. CVE-2018-2872: Information Disclosure in DATAMANAGERSERVER. which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
  10. CVE-2018-2873: Information Disclosure in STRUCTURESVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).

The 11 vulnerabilities were reported by our CTO, Juan Pablo Perez Etchegoyen, we congratulate him for that.

SQL Injection vulnerabilities

Injection vulnerabilities are the first vulnerability found in the OWASP (Open Web Application Security Project) Top 10 report. This report describe the most common vulnerabilities that the companies are exposed in Web Applications. These vulnerabilities tend to be of very high risk and should be patched immediately.

How SQL injection works in Oracle E-Business Suite?

SQL injection is a vulnerability where an attacker can take advantage of the lack of parameter sanitization. An attacker can use these input and add some SQL statement to get or modify some database information or even in some cases generate a denial of service. The entry point that an attacker could use is a JSP, a Servlet, a specific class among other possibilities.

The following code shows an example of a SQL injection vulnerability:

The first thing that a vulnerability needs is an input parameter:

String whereClause = request.getParameter("nWhereClause");

Then the variable “whereClause” can be assigned to other variables and can be used in different parts of the code.

The parameter received by the URL call a specific class which use the parameter to create the SQL statement as shown in the following example:

String str1 = "SELECT UNIQUE " + paramString1 + " id, " + paramString2 + " name, " + paramString3 + " details FROM " + paramString4;

This is how an attacker can see the SQL Injection in Oracle E-Business Suite system

Oracle helps mitigate the possibility of attack by implementing sanitization, encoding or sometimes with prepared statements.

In this example the way that Oracle mitigates the attack is by implementing a sanitization asking about the whereclause:

whereClause = j1.getWhereClause();

As always, organizations should immediately apply the released patches to ensure their systems are up to date and their data and processes are secure.

Onapsis in Collaborate and RSA conferences

This week Onapsis will present in RSA conference a session titled “I Forgot Your Password: Breaking Modern Password Recovery Systems”by Nahuel Sanchez and Martín Doyhenard. Also the company will be showcasing the Onapsis Security Platform at booth #4227 in the North Hall.  

Another important conference in April is Collaborate 2018 and Onapsis have live demos of the Onapsis Security Platforms functionality for Oracle EBS at booth #1516. The team  will present two  sessions:

*** This is a Security Bloggers Network syndicated blog from Blog authored by ltabo. Read the original post at: https://www.onapsis.com/blog/april-2018-oracle-critical-patch-update-oracle-patches-254-vulnerabilities-176-specific