Oracle Critical Patch Update October 2015 – Analyzing Oracle Security

Today Oracle has released its quarterly critical patch update for October 2015. It fixes a total of 154 vulnerabilities.

The previous CPU for July 2015 closed 193 security vulnerabilities which is 20% more than in this one, but this one still adresses more security issues than the average number.

This quarter, some of the vulnerabilities were discovered in the core platform of Oracle’s most popular Enterprise application - Oracle EBS (E-Business Suite). These issues are important because they affect critical business applications based on E-Business Suite platform such as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management. Listed applications store and process the most valuable corporate data such as HR information, financial data, supplier and customer lists, and others. It means that in case of successful attack, a malicious person can manipulate data about quantity of material resources, change the item prices, misappropriate funds, and modify financial reports, just to name a few.

Oracle Critical Patch Update Analysis

Below you can find the details of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.

Oracle vulnerabilities by Application type

The affected product families are as follows: Oracle database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Industry Applications, including Oracle Communications Applications and Oracle Retail Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle Pillar Axiom, Oracle Linux & Virtualization, and Oracle MySQL.

Oracle vunerabilities by severity

The average CVSS Score in this udate is 5.4.

Oracle vunerabilities in business-critical applications

This quarter’s CPU addresses vulnerabilities affecting business-critical applications from Oracle, namely Oracle database, Fusion Middleware, E-Business Suite, Supply Chain Products Suite, PeopleSoft, Siebel CRM, Oracle Industry Applications, and Oracle Retail Applications. 65 (42%) of all of the patch updates close vulnerabilities in these products. Moreover, about 51% (33 issues) of these vulnerabilities can be exploited remotely without authentication.

Oracle PeoplesSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization. This Critical patch update contains 8 fixes for Oracle PeopleSoft with the highest CVSS score of 6.8.

Oracle E-Business Suite Security

Oracle E-Business Suite is the main business software developed by Oracle. Such business applications as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management are based on this platform. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 12 fixes for Oracle EBS with the highest CVSS score of 10.

Oracle Siebel CRM Security

Oracle Siebel CRM is a Customer Relationship Management solution. It delivers transactional, analytical, and engagement features. A successful attack against it can result in gaining control over tenders and affect relationship with clients. This Critical patch update contains 1 fix for Oracle Siebel CRM with the CVSS base score of 4.3.

The most critical Oracle vulnerabilities closed by CPU October 2015

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first. This time, 12 vulnerabilities have received the highest CVSS score of 10.0. Most of them relates to Oracle Java SE.

• Portable Clusterware has CVE-2015-4863 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Portable Clusterware component in Oracle Database Server 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.
• Oracle Applications Technology Stack has CVE-2015-4798 (CVSS Base Score: 10.0 ) - Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4839.
• Oracle Applications Technology Stack has CVE-2015-483 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Oracle Applications Technology Stack component in Oracle E-Business Suite 11.5.10.2 allows remote authenticated users to affect availability via unknown vectors related to DB Listener, a different vulnerability than CVE-2015-4798.
• Oracle Communications Diameter Signaling Router (DSR), Oracle Communications Performance Intelligence Center Software, Oracle Communications Policy Management, Oracle Communications Tekelec HLR Router and Oracle Communications User Data Repository has CVE-2015-2608 (CVSS Base Score: 10.0) - Unspecified vulnerability in (1) the Oracle Communications Diameter Signaling Router (DSR) component in Oracle Communications Applications 4.1.6 and earlier, 5.1.0 and earlier, 6.0.2 and earlier, and 7.1.0 and earlier; (2) the Oracle Communications Performance Intelligence Center Software component in Oracle Communications Applications 9.0.3 and earlier and 10.1.5 and earlier; (3) the Oracle Communications Policy Management component in Oracle Communications Applications 9.9.0 and earlier, 10.5.0 and earlier, 11.5.0 and earlier, and 12.1.0 and earlier; (4) the Oracle Communications Tekelec HLR Router component in Oracle Communications Applications 4.0.0; and (5) the Oracle Communications User Data Repository component in Oracle Communications Applications 10.2.0 and earlier allows remote attackers to affect confidentiality, integrity, and availability via vectors related to PMAC.
• Java SE, Java SE Embedded has CVE-2015-4835 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4881.
• Java SE, Java SE Embedded has CVE-2015-4881 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to CORBA, a different vulnerability than CVE-2015-4835.
• Java SE, Java SE Embedded has CVE-2015-4843 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
• Java SE, Java SE Embedded has CVE-2015-4860 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI, a different vulnerability than CVE-2015-4883.
• Java SE, Java SE Embedded has CVE-2015-4805 (CVSS Base Score:10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Serialization.
• Java SE, Java SE Embedded has CVE-2015-4844 (CVSS Base Score: 10.0) - Unspecified vulnerability in Oracle Java SE 6u101, 7u85, and 8u60, and Java SE Embedded 8u51, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
• Integrated Lights Out Manager (ILOM) has CVE-2015-4915 (CVSS Base Score: 10.0) - Unspecified vulnerability in the Integrated Lights Out Manager (ILOM) component in Oracle Sun Systems Products Suite 3.0, 3.1, and 3.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to System Management.
• Oracle FS1-2 Flash Storage System has CVE-2015-0235 (CVSS Base Score: 10.0) - Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

Oracle Vulnerabilities that were patched with the help of ERPScan

This quarter, six critical vulnerabilities discovered by ERPScan researchers were closed . All of the issues affect Oracle E-Business suite, its flagship set of enterprise applications. The vulnerabilities identified by ERPScan constitutes a half of all security loopholes fixed this time

Below are the details of the security flaws identified by ERPScan researchers.

• Database user enumeration vulnerability (CVSS Base Score: 4.3) There is a script in EBS that is used to connect to the database and displays the connection status. Different connection results can help an attacker to find existing database accounts. This script allows an attacker to connect to the database with the given login/password, so the attacker can enumerate the database users.
• SQL injection vulnerability (CVSS Base Score: 3.6) By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and business-related information stored in the vulnerable Oracle system.
• Cross-site Scripting vulnerability (CVSS Base Score: 4.3) A cross-site scripting vulnerability can lead to injection of malicious scripts into a trusted web site. By exploiting this vulnerability, an internal or external attacker will be able to escalate their privileges. With the help of this access, it is possible to obtain sensitive technical and/or business-related information stored in the vulnerable Oracle system.
• XXE injection vulnerability (CVSS Base Score: 6.4) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.
• XXE injection vulnerability(CVSS Base Score: 6.8) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.
• XXE injection vulnerability(CVSS Base Score: 6.8) Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Report Manager accessible data as well as read access to a subset of Oracle Report Manager accessible data.

Securing Oracle applications

It is highly recommended that Oracle customers patch all those vulnerabilities to prevent business risks affecting their systems.Companies providing services should include these vulnerabilities in their checklists.

The post Oracle Critical Patch Update October 2015 – Analyzing Oracle Security appeared first on ERPScan.