Today Oracle has released its quarterly patch update for April 2016. It fixes a total of 136 vulnerabilities.
Comparing with the previous record-breaking CPU for January 2016 that closed 248 vulnerabilities, this one addresses about 55% less security issues. However, this number is almost the same as a typical Oracle patch update includes in average.
The differences between CVSS v 3.0 and CVSS v2.0 for ERP systems.
Starting from this Critical Patch Update, all the future fixes will be scored using Common Vulnerability Scoring Standard (CVSS) of version 3.0. This quarter the updates will be rated both by the CVSS 2.0 and 3.0.
It is noteworthy that according to CVSS base score ver. 3.0 no vulnerabilities have received the highest rating of 10.0. In our opinion, it doesn’t mean that the closed vulnerabilities are less critical (that is proved by 5 issues of the highest severity by CVSS 2.0).
CVSS version 3 is the latest update of the standardized method for rating vulnerabilities. It was introduced in June, 2015, and now more and more companies started to use this new scoring system (for example, other world-renowned software vendor SAP) . In comparison with CVSS 2.0, several metrics were changed, added, and removed. The most significant changes from the version 2.0 are the following (more information available in User Guide):
- The terms vulnerable component and impacted component were introduced. Exploitability metrics are calculated for a vulnerable component while impact metrics are scored for an affected one, which is a good innovation. Sometimes vulnerability can be discovered in a less critical component but can affect a whole system. This fact is especially noteworthy when we speak about ERP systems and other mission-critical applications which consist of multiple components where some vulnerabilities in them may affect all system and others may not. It’s quite hard to understand the impact of a certain issue without in-depth knowledge of affected system architecture.
- The new metrics User Interaction, Scope, and Privileges Required (replaces Authentication) were added.
- The Access Vector has been renamed to Attack Vector.
- The Impact metric shifted from quantitative to qualitative values; Confidentiality, Integrity and Availability values of None, Partial, and Complete have been replaced with None, Low, and High to reflect the degree of attack impact.
- Guidance on assessing multiple vulnerabilities is provided.
CVSS changes influence on Oracle Critical patch update
So, the most important question is what has really changed for people responsible for securing ERP systems.
The table below shows how the severity of vulnerabilities from Oracle CPU April 2016 depends on the scoring system.
| CVSS 2.0 | CVSS 3.0 | Difference (in absolute number) | Difference (in percentage) | |
| Low | 28 | 10 | -18 | -64% |
| Medium | 87 | 84 | -3 | -3% |
| High | 12 | 25 | +13 | +52% |
| Critical | 9 | 17 | +8 | +48% |
The final figures are showing that while we have much less vulnerabilities with the highest rating of 10.0 according to the new scoring system, the overall number of vulnerabilities rated Critical (and High) has grown (while the number of Low and Medium risk issues decreased slightly).
First of all, I’m glad to see such changes in the scoring system, as there were many discussions about the quality of CVSS v.2.0. For example, vendors could rate issues discovered in their products as less critical (intentionally or unintentionally) because of some flaws in this scoring system. Now the recently updated system is more accurate and many drawbacks affecting the previous version were resolved. On the other hand, it’s great that Oracle took it seriously and started to use the newest scoring system. Recently (in March, 2016) another large ERP vendor - SAP - switched to CVSS v. 3 as well
- commented Alexander Polyakov, CTO at ERPScan.
Oracle Critical Patch Update April 2016 Analysis
Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.
Oracle vulnerabilities by Application type
The affected product families are listed below (by the number of closed issues in descending order): Oracle MySQL, Oracle Fusion Middleware, Oracle Sun Systems Products Suite, Oracle PeopleSoft, Oracle Java SE, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle Database Server, Oracle Berkeley DB, Oracle Virtualization, Oracle Financial Services Software, Oracle Retail Applications, Oracle Siebel CRM, Oracle Enterprise Manager Grid Control, Oracle JD Edwards, Oracle Health Sciences Applications, Oracle Communications Applications.
Oracle vulnerabilities by severity. CVSS 2.0
Security of Oracle business-critical applications
This quarter’s CPU contains patches for vulnerabilities affecting a scope of the most business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, and Oracle Database Server. 43% (59) of all of the patch updates close vulnerabilities in these products.
Oracle E-Business Suite Security
Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information depending on modules installed in an organization.
This critical patch update contains 7 fixes for Oracle EBS. The highest CVSS score is 6.4 (CVSS 2.0)/ 9.1 (CVSS v. 3.0). The previous quarter’s update contains 78 updates, however, the average number of closed issues is about 10 (as for 2015).
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information depending on modules installed in an organization.
This Critical patch update contains 15 fixes for Oracle PeopleSoft and the previous quarter’s update contains 11. The highest CVSS score is 6.5(CVSS 2.0)/ 8.7 (CVSS v. 3.0).
More information about Oracle PeopleSoft Security you can find in our blog posts and the recently published whitepaperOracle JD Edwards Security
Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information depending on modules installed in an organization.
This Critical patch update contains 1 fix for Oracle JDE with the CVSS score of 6.4(CVSS 2.0)/ 6.5 (CVSS v. 3.0).
The most critical Oracle vulnerabilities closed by CPU April 2016
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. This time, 7 vulnerabilities have received the highest CVSS score of 10.0 (CVSS 2.0). Most of them relate to the Oracle Java SE.
- Java SE (2D) has CVE-2016-3443 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE.
- Java SE, Java SE Embedded (Hotspot) has CVE-2016-0687 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
- Java SE, Java SE Embedded (Serialization) has CVE-2016-0686 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.6) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
- Java SE, Java SE Embedded, JRockit (JMX) has CVE-2016-3427 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.0) - Supported versions that are affected are Java SE: 6u113, 7u99 and 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9. Difficult to exploit vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. While the vulnerability is in Java SE, Java SE Embedded, JRockit, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded, JRockit.
- Solaris (PAM LDAP module) has CVE-2016-0693 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the Solaris component of Oracle Sun Systems Products Suite. Supported versions that are affected are 10 and 11.3. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris.
- MySQL Server (Server: Packaging) has CVE-2016-0705 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the MySQL Server component of Oracle MySQL. Supported versions that are affected are 5.6.29 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
- MySQL Server (Server: Pluggable Authentication) has CVE-2016-0639 (CVSS v. 2.0 Base Score: 10.0 CVSS v. 3.0 Base Score: 9.8) - Vulnerability in the MySQL Server component of Oracle MySQL. Supported versions that are affected are 5.6.29 and earlier and 5.7.11 and earlier. Easily exploitable vulnerability allows a unauthenticated attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in takeover of MySQL Server.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security Audit Penetration testing should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.
The post CVSS 3.0 – How does it Affect Oracle Critical Patch Update? appeared first on ERPScan.