Today Oracle has released its quarterly patch update for October 2016. It fixes a total of 253 vulnerabilities.
The main highlights are as follows:
- 1. This is the second-largest Update containing 253 vulnerability fixes. Almost every Oracle CPU released in 2016 contains more than 200 fixes, while the average number for the years 2011-2015 is approximately 110.
- 2. The updates close a lot of security issues in the business-critical applications from Oracle. For example, Oracle E-Business Suite has the highest number of updates among mission-critical software containing 21 issues where 11 are assessed as high. 14 of them can be exposed online providing an entry point for attackers. The number and criticality of the issues are alarming.
- 3. There is a critical vulnerability in HTTP service of Oracle EBS patched in this update. ERPScan researchers conducted a Shodan scanning and revealed that approximately 15000 Oracle HTTP servers are exposed to the Internet.
Oracle Critical Patch Update October 2016
Comparing with the previous CPU for July 2016 that closed 276 vulnerabilities, this one addresses approximately 11% less security issues. Nonetheless, this it the second largest update in the history
"Oracle started this year by releasing a CPU consisting of 248 patches, which immediately made headlines as a record-breaking number of fixes. As of today, this patch update seems to be a game-changing moment. Looking at the graph above, we can assume that the exceeding the two-hundred mark in terms of number of closed issues was not fortuitousness. This seems to be a trend for all sets of patches released in 2016, and only CPU for April 2016 is at odds with it."
- commented Alexander Polyakov, CTO at ERPScan.
Oracle Critical Patch Update Analysis
Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.
Oracle vulnerabilities by Application type
The affected product families are listed in descending order of the number of closed issues:
| Product family | Number of patches |
| Oracle Communications Applications | 36 |
| Oracle MySQL | 31 |
| Oracle Fusion Middleware | 29 |
| Oracle Financial Services Applications | 24 |
| Oracle E-Business Suite | 21 |
| Oracle Supply Chain Products Suite | 19 |
| Oracle Sun Systems Products Suite | 16 |
| Oracle Virtualization | 13 |
| Oracle Database Server | 12 |
| Oracle PeopleSoft | 11 |
| Oracle Retail Applications | 10 |
| Oracle Commerce | 7 |
| Oracle Java SE | 7 |
| Oracle Enterprise Manager Grid Control | 5 |
| Oracle Siebel CRM | 3 |
| Oracle Hospitality Applications | 3 |
| Oracle Secure Backup | 2 |
| Oracle Primavera Products Suite | 2 |
| Oracle JD Edwards | 2 |
| Oracle Big Data Graph | 1 |
| Oracle Health Sciences Applications | 1 |
| Oracle Oracle Insurance Applications | 1 |
Vulnerabilities in Oracle business-critical applications
This quarter’s CPU contains numerous patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 39% (97) of all of the patch updates close vulnerabilities in these products, and about 64% of these vulnerabilities can be exploited remotely without authentication.
Oracle E-Business Suite Security
Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This critical patch update contains 21 fixes for Oracle EBS. The highest CVSS score is 8.2.
Among the vulnerable components, there is Oracle HTTP server, the web server component of Oracle EBS. The vulnerability is assessed as critical (CVSS base score of 8.2). According to Oracle's advisory, the vulnerability is easily exploitable and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in complete DoS of Oracle HTTP Server and unauthorized read access to data.
ERPScan researchers conducted a Shodan scanning and revealed that approximately 15000 Oracle HTTP servers are exposed to the Internet.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 11 fixes for Oracle PeopleSoft with the highest CVSS score of 8.2.
Oracle JD Edwards Security
Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 2 fixes for Oracle JDE with the highest CVSS score of 8.1.
Oracle Siebel CRM Security
Oracle Siebel CRM is a Customer Relationship Management solution. It delivers transactional, analytical, and engagement features. A successful attack against it can result in gaining control over tenders and affect relationship with clients.
This Critical patch update contains 3 fixes for Oracle Siebel CRM with the CVSS base score of 8.1.
The most critical Oracle vulnerabilities closed by CPU October 2016
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows
- Oracle Big Data Discovery has CVE-2015-3253 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing). Supported versions that are affected are 1.1.1, 1.1.3 and 1.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.
- Oracle Web Services has CVE-2016-3551 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Web Services component of Oracle Fusion Middleware (subcomponent: JAXWS Web Services Stack). Supported versions that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0 and 12.2.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Services. Successful attacks of this vulnerability can result in takeover of Oracle Web Services.
- Oracle WebLogic Server has CVE-2016-5535 (CVSS Base Score: 9.8) - Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: None). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.0 and 12.2.1.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
- Oracle Commerce Platform has CVE-2015-3253 (CVSS Base Score: 9.8) - Vulnerability in the Oracle Commerce Platform component of Oracle Commerce (subcomponent: Dynamo Application Framework). Supported versions that are affected are 10.0.3.5, 10.2.0.5 and 11.2.0.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Commerce Platform. Successful attacks of this vulnerability can result in takeover of Oracle Commerce Platform.
- Java SE, Java SE Embedded has CVE-2016-5582 (CVSS Base Score: 9.6) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: Hotspot). Supported versions that are affected are Java SE: 6u121, 7u111 and 8u102; Java SE Embedded: 8u101. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Java SE, Java SE Embedded.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.
The post Analyzing Oracle Security – Oracle Critical Patch Update October 2016 appeared first on ERPScan.