Today Oracle has released its quarterly patch update for October 2017. It fixes a total of 252 vulnerabilities.
The main highlights are as follows:
- Oracle closed 1119 issues in 2017 in total and the average number of security issues in 2017 is 22% more than in 2016.
- October’s CPU contains recording 155 vulnerabilities in Business-Critical Applications. It’s almost 62% of vulnerabilities found in other Oracle products.
- This patch update also contains a alarming number of PeopleSoft fixes totaling 23. However, not only the number, but the criticality of issues is alarming. 13 of them can be exploited over the network without entering user credentials. The most critical vulnerability with CVSS 9.8 identified by ERPScan researchers allows executing commands on the PeopleSoft server remotely.
Analysis of Oracle Critical Patch Update – October 2017
Below you can find an analysis of the vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.
Comparing with the previous CPU for July 2017 that jumped over a 300-issue mark and became the largest ever, this month’s patch update addresses approximately 23% less security issues.
Nonetheless, Oracle fixes reach 1119 in 2017, and the graph provided below illustrates the increasing number of patches that were released by Oracle for each year.
Oracle vulnerabilities by Application type
The patch updates touch a wide range of products. The affected product families are listed below by the number of closed issues in descending order.
| Product Family | Number of patches |
| Fusion Middleware | 40 |
| Hospitality Applications | 37 |
| E-Business Suite | 26 |
| MySQL | 25 |
| PeopleSoft | 23 |
| Communications Applications | 23 |
| Java SE | 22 |
| Sun Systems Products Suite | 10 |
| Retail Applications | 9 |
| Siebel CRM | 8 |
| Supply Chain Products Suite | 7 |
| Virtualization | 6 |
| Database Server | 6 |
| Hyperion | 4 |
| JD Edwards Products | 2 |
| Financial Services Applications | 2 |
| Health Sciences Applications | 1 |
| Construction and Engineering Suite | 1 |
| Enterprise Manager Grid Control | 1 |
As you can see from the table, Oracle Fusion Middleware leads by the number of the closed issues.
Vulnerabilities in Oracle’s business-critical applications
The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.
This quarter, CPU contains recording 155 patches (62%) for vulnerabilities affecting a scope of the Business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Hospitality Applications, Retail, Hyperion, Siebel CRM, Supply Chain, JD Edwards etc. About 71% of them can be exploited remotely without entering credentials.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
This quarter only, the vendor released 23 fixes addressing the component (~9% of the update). For comparison, there were 44 PeopleSoft patches in total for the last whole year.
13 of these security loopholes can be exploited over the network without requiring user credentials.
The highest CVSS score is 9.8.
Oracle E-Business Suite Security
Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization.
This critical patch update contains 24 fixes for Oracle EBS. The highest CVSS score is 9.1.
Oracle vulnerabilities identified by ERPScan Research team
This quarter, 15 critical vulnerabilities discovered by ERPScan researchers were closed.
The details of the identified issues are provided below:
- Oracle Peoplesoft Anonymous RCE using PPMI (CVSS base score 9.8, CVE-2017-10366). With malicious JAVA serialized package attackers can execute system command on the remote server.
- Oracle Weblogic Application Server – Authorization bypass(CVSS base score 9.8, CVE-2017-10271). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
- Oracle E-Business Suite Cross Site Scripting (ibeCZzpEntry.jsp) (CVSS base score 8.2, CVE-2017-10409). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (cskmrelstmts.jsp) (CVSS base score 8.2, CVE-2017-10410). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (cskmslctcat.jsp) (CVSS base score 8.2, CVE-2017-10411). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (cskmslctplat.jsp) (CVSS base score 8.2, CVE-2017-10412). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (csm5Sync.jsp) (CVSS base score 8.2, CVE-2017-10413). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (ibeCScdAgrmntDetail.jsp) (CVSS base score 8.2, CVE-2017-10414). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (ibutpqs.jsp) (CVSS base score 8.2, CVE-2017-10415). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (ieccaleassignexception.jsp) (CVSS base score 8.2, CVE-2017-10416). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Oracle E-Business Suite Cross Site Scripting (ieccaleexception.jsp) (CVSS base score 8.2, CVE-2017-10417). An anonymous user can exploit XSS attack in the context of E-Business Suite Application site against the application users. For example, he can steal cookies, or perform “session riding” attack.
- Hardcoded and predictable credentials for JMX InternalConnector and EMConnector (CVSS base score 7.5, CVE-2017-10373). An attacker gets extensive access to the diagnostic information of the PeopleSoft application. Including the ability to read the application server and a web server logs, get the status of server memory, etc.
- Stored XSS in HRMS (Applicant Notes page) (CVSS base score 5.4, CVE-2017-10304). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.
- Stored XSS in HRMS (Interview Calendar) (CVSS base score 4.6, CVE-2017-10306). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.
- Stored XSS in HRMS (Interview Calendar page) (CVSS base score 4.6, CVE-2017-10306). An attacker can use special HTTP request for hijack session data for administrators or users of the web resource.
The most critical Oracle vulnerabilities closed by CPU October 2017
Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows
- Oracle Hospitality Reporting and Analytics has CVE-2017-10402 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Reporting and Analytics.
- Oracle Hospitality Reporting and Analytics has CVE-2017-10405 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: Report). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Hospitality Reporting and Analytics accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Reporting and Analytics./li>
- Siebel Apps – Field Service has CVE-2013-1903 (CVSS Base Score: 10.0) – vulnerability in the Siebel Apps – Field Service component of Oracle Siebel CRM (subcomponent: Smart Answer (Python)). Supported versions that are affected are 16.0 and 17.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Siebel Apps – Field Service. While the vulnerability is in Siebel Apps – Field Service, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Siebel Apps – Field Service.
- Oracle Hospitality Cruise AffairWhere has CVE-2017-10396 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Hospitality Cruise AffairWhere component of Oracle Hospitality Applications (subcomponent: AffairWhere). Supported versions that are affected are 2.2.5.0, 2.2.6.0 and 2.2.7.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Cruise AffairWhere. While the vulnerability is in Oracle Hospitality Cruise AffairWhere, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Hospitality Cruise AffairWhere accessible data as well as unauthorized read access to a subset of Oracle Hospitality Cruise AffairWhere accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Hospitality Cruise AffairWhere.
- Oracle Hospitality Reporting and Analytics has CVE-2017-10404 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Hospitality Reporting and Analytics component of Oracle Hospitality Applications (subcomponent: iQuery). Supported versions that are affected are 8.5.1 and 9.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Hospitality Reporting and Analytics. While the vulnerability is in Oracle Hospitality Reporting and Analytics, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Hospitality Reporting and Analytics.
- Oracle Peoplesoft Anonymous RCE using PPMI (CVSS base score 9.8, CVE-2017-10366). With malicious JAVA serialized package attackers can execute system command on the remote server.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.
The post Analyzing Oracle Security – Oracle Critical Patch Update October 2017 appeared first on ERPScan.