Oracle Fixes Critical Vulnerabilities in Business Applications

by Lucian Constantin on April 21, 2018

Oracle has released a new quarterly critical patch update (CPU) for its product portfolio, fixing 254 vulnerabilities across 20 product families. More than two-thirds of those flaws are located in business-critical applications and 42 are rated critical.

According to security firm Onapsis, the business applications with critical vulnerabilities include Communications Applications, Financial Services, Fusion Middleware, JD Edwards, Retail Applications and Utilities Applications. Successful exploitation of the flaws can lead to a full compromise of the applications’ integrity, confidentiality and availability.

“From the total of 176 Business Critical Application vulnerabilities 114 are remotely exploitable,” the Onapsis researchers, who found and reported 11 of the flaws, said in a blog post. “A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker’s path is through OSI layer 3 (the network layer).”

Oracle Fusion Middleware, a cloud platform for businesses, had the highest number of patched flaws this CPU—39—and was followed by Financial Services Applications with 36, MySQL with 33, Retail Applications with 31 and Java and the Sun Systems Products Suite, each with 14.

The Oracle E-Business Suite (EBS), one of the main business software developed by Oracle, received patches for 12 vulnerabilities, as did the company’s other enterprise applications suite, Oracle PeopleSoft.

Sponsorships Available

Oracle EBS and PeopleSoft are used to manage a wide range of business processes and to store key data. A successful attack against them could allow “an attacker to steal and manipulate different business critical information, depending on modules installed in an organization,” said researchers from security firm ERPScan, who reported one of the vulnerabilities patched in this CPU.

The most critical vulnerabilities, rated with 9.8 in the Common Vulnerability Scoring System (CVSS), were fixed in the Oracle Financial Services Market Risk Measurement and Management, Oracle Financial Services Hedge Management and IFRS Valuations, Oracle WebLogic Server, JD Edwards World Security and Oracle Retail Order Management System.

The flaw patched in WebLogic Server, a component of Oracle Fusion Middleware, is particularly dangerous because this server powers a lot of applications. Vulnerabilities in WebLogic has been targeted by hackers in the past, including earlier this year to install Monero mining malware on servers.

LinkedIn Button Could Have Allowed Personal Data Scraping

LinkedIn has added better protection to its LinkedIn AutoFill button after a researcher showed it could be used by malicious websites to stealthily scrape data from users.

The LinkedIn AutoFill button allows visitors to a website that integrates it to easily auto-populate forms with information from their LinkedIn profiles, such as their names, email addresses, phone numbers, location and job.

The button was intended to be used on their websites by paying customers of LinkedIn’s Marketing Solutions platform. However, 18-year-old bug hunter Jack Cable noticed that any website could integrate it trick users into unknowingly submitting their personal details.

“In a report to LinkedIn, I demonstrated that a user’s information can be unwillingly exposed to any website simply by clicking somewhere on the page,” Cable said in a blog post. “This is because the AutoFill button could be made invisible and span the entire page, causing a user clicking anywhere to send the user’s information to the website.”

This sounds like a classic clickjacking attack, in which HTML and CSS tricks are used to hide buttons that trigger actions users never intended to perform.

Following Cable’s report, LinkedIn has restricted the domains that can display the button and added another prompt to ask users for confirmation before sending their data to a website for populating form fields.

— Lucian Constantin

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at [email protected] or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 298 posts and counting.See all posts by lucian-constantin