Analyzing Oracle Security – Oracle Critical Patch Update for July 2018

Today Oracle has released its quarterly patch update for July 2018. It fixes a record number of 334 vulnerabilities.

The main highlights are as follows:

  • The average number of security issues released every quarter keeps growing this year.
  • CPU for July contains 203 vulnerabilities in business-critical applications. It’s 61% of vulnerabilities found in Oracle products.
  • The most vulnerable application is Oracle Financial Services Applications totaling 56. The criticality of issues is also alarming since 21 of them can be exploited over the network without entering user credentials.
  • This CPU contains 61 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most serious vulnerabilities of the current CPU with CVSS score of 9.8 are in multiple Oracle’s products including Financial Services, Fusion Middleware, PeopleSoft, EBS, Retail Applications, etc.
  • Two of the most severe vulnerabilities were identified by ERPScan researchers in the Oracle Fusion Middleware (CVE-2018-2894 and CVE-2018-2943).
  • Oracle fixed 17 vulnerabilities that were found by ERPScan researchers but decided to dismiss ERPScan’s contribution and did not give a credit since ERPScan were put on a Treasury sanctions list.

Analysis of Oracle Critical Patch Update for July 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

This quarter’s CPU for July 2018 contains more security patches than the previous CPU for April 2018 (see a bar chart).

The graph above shows that the vendor released yet another record-breaking batch of patches. It is safe to say that there is a constant trend of growing set of Oracle CPU. The average number of security patches has tripled in the last 4 years (from 113 to 334).

Oracle vulnerabilities by application type

The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues.

Product Family Number of patches
Financial Services Applications56
Fusion Middleware44
Retail Applications31
MySQL31
Hospitality Applications24
Sun Systems Products Suite 22
PeopleSoft15
Enterprise Manager Products Suite16
E-Business Suite 14
Communications Applications14
Virtualization12
Construction and Engineering Suite11
JD Edwards Products10
Java SE8
Supply Chain Products Suite8
Utilities Applications4
Policy Automation3
Database Server4
Hyperion2
Insurance Applications2
Siebel CRM1
iLearning1
Support Tools1

As seen from the table and illustrated in a pie chart, Financial Services Applications lead by the number of the closed issues. The vulnerabilities in Fusion Middleware keep raising and their number is ranked second in July’s CPU.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 203 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain.

About 65% of them can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 15 fixes for Oracle PeopleSoft with the highest CVSS score of 9.8.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 14 fixes for Oracle EBS. The highest CVSS score is 8.2.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 17 critical vulnerabilities discovered by ERPScan researchers were closed.

The details of the identified issues are provided below:

  • Remote command execution in Oracle MapViewer using JerseyFileUpload (CVSS base score 9.8, CVE-2018-2943). Directory traversal vulnerability enables an attacker to upload some jsp file in apps folder and execute commands (escalate privileges).
  • Missing Authorization check in JD Edwards EnterpriseOne for SupportAssistant component (CVSS base score 7.5, CVE-2018-2944). SupportAssistant component in JD Edwards EnterpriseOne does not perform necessary authorization checks for critical function, leading to the escalation of privileges. An attacker can send GET request [http://host:port/jde/servlet/com.jdedwards.supportassistant.SupportAssistant]] and receive all possible methods. Afterwards, the attacker can use this methods via POST request in “xml” parameter, to get, for example, any file on the file system.
  • Anon XXE in Oracle Weblogic portalTools (CVSS base score 5.3, CVE-2018-3101). XXE vulnerabilities allow reading files from the server or launch a DoS attack.
  • jsp file uploading {privileges escalation} in Oracle Middleware 12.2.1.3.0 (CVSS base score 9.8, CVE-2018-2894). Using jsp file uploading an attacker can upload some jsp file in apps folder and execute certain commands (escalate privileges).
  • Cross-Site Scripting (XSS) vulnerability in JDE URLBuilderService (CVSS base score 6.1, CVE-2018-2945). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Multiple Cross-Site Scripting (XSS) vulnerabilities in JDE GraphPrototype maflet (CVSS base score 6.1, CVE-2018-2946). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Directory traversal in JDE FileDownloader maflet (CVSS base score 6.5, CVE-2018-2947). This security vulnerability allows attackers to traverse the file system to access files that are outside of the restricted directory.
  • Cross-Site Scripting (XSS) vulnerability in JDE MMDGView maflet (CVSS base score 6.1, CVE-2018-2948). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE TEDocWindow maflet (CVSS base score 6.1, CVE-2018-2949). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE TETaskProperties maflet (CVSS base score 9.1, CVE-2018-2950). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Anon SQL injection in Oracle Business Process Management (CVSS base score 5.3, CVE-2018-3100). With the help of SQL injection vulnerabilities, an attacker extracts information from the local database using insecure SQL requests.
  • File Upload/Download Vulnerability in Integration Gateway – SimpleFileTargetConnector (CVSS base score 7.4, CVE-2018-2990). Default password in integrationGateway.properties ig.fileconnector.password=EncryptedPassword allows an attacker to upload and download arbitrary files from PeopleSoft webserver and gain full control of the PeopleSoft webserver.
  • Directory traversal using zip in Oracle SOA Suite for Healthcare Integration (CVSS base score 4.3, CVE-2018-3105). With the help of Directory traversal vulnerabilities an attacker uploads jsp file and gets a webshell.
  • Cross-Site Scripting (XSS) vulnerability in JDE ShortcutLauncher maflet (CVSS base score 6.1, CVE-2018-2999). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE dtadebugger maflet (CVSS base score 6.1, CVE-2018-3006). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • CVE-2017-10269 vulnerability affecting the Jolt Protocol was not properly patched and still exists (CVSS base score 8.6, CVE-2018-3007). This vulnerability allows remote attackers to expose internal memory of JSH processes. It leads to exposing critical information such as password, tokens, etc.
  • PeopleSoft server side template injection via arbitrary html file creation in ‘PSIGW/PeopleSoftListeningConnector/’ (CVSS base score 5.4, CVE-2018-3016). Attackers can create arbitrary html files with controlled content in server side via post request to PSIGW/PeopleSoftListeningConnector/.

Nonetheless, Oracle decided to dismiss ERPScan’s contribution and did not give a credit since ERPScan were put on a Treasury sanctions list.

The most critical Oracle vulnerabilities closed by CPU for July 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

  • Oracle Spatial (jackson-databind) has CVE-2017-15095 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Spatial (jackson-databind) component of Oracle Database Server. Supported versions that are affected are 12.2.0.1 and 18.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Spatial (jackson-databind). Successful attacks of this vulnerability can result in takeover of Oracle Spatial (jackson-databind).
  • Oracle Global Lifecycle Management OPatchAuto component CVE-2018-7489 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Global Lifecycle Management OPatchAuto component of Oracle Global Lifecycle Management (subcomponent: DB specific extensions (jackson-databind)). The supported version that is affected is All. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Global Lifecycle Management OPatchAuto. Successful attacks of this vulnerability can result in takeover of Oracle Global Lifecycle Management OPatchAuto.
  • Oracle Fusion Middleware MapViewer has CVE-2018-2943 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Fusion Middleware MapViewer component of Oracle Fusion Middleware (subcomponent: Map Builder). Supported versions that are affected are 12.2.1.2.0 and 12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks of this vulnerability can result in takeover of Oracle Fusion Middleware MapViewer.
  • Oracle WebLogic Server has CVE-2018-2894 (CVSS Base Score: 9.8) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
  • PeopleSoft Enterprise FIN Install has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the PeopleSoft Enterprise FIN Install component of Oracle PeopleSoft Products (subcomponent: Security (Apache Log4j)). The supported version that is affected is 9.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Install. Successful attacks of this vulnerability can result in takeover of PeopleSoft Enterprise FIN Install.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Analyzing Oracle Security – Oracle Critical Patch Update for July 2018 appeared first on ERPScan.



*** This is a Security Bloggers Network syndicated blog from Blog – ERPScan authored by Research Team. Read the original post at: https://erpscan.com/press-center/blog/analyzing-oracle-security-oracle-critical-patch-update-july-2018/