Today Oracle has released its quarterly patch update for January 2016. It fixes a total of 248 vulnerabilities. It’s a record number of security issues patched by Oracle in one update ever, and the figures look like the record number of vulnerabilities patched by any vendor in one update. Defining moment in the history of Oracle Security
Comparing with the previous CPU for October 2015 that closed 154 security vulnerabilities, this one addresses 62% more security issues and almost 2,5 times more than the average number (100).
The number of vulnerabilities in Oracle’s Enterprise business applications is increasing. While in previous years the significant part of the closed vulnerabilities affect JAVA, MySQL, and Oracle Database, this critical patch update shows a significant growth in the number of patches for Enterprise applications such as Oracle EBS (32% of all patched vulnerabilities), Oracle Fusion Middleware - a new Oracle’s platform for all business applications (11%) - and Oracle PeopleSoft (4%). To put it simple, vulnerabilities in all the products that store and process the most valuable corporate data constitute the largest part of all vulnerabilities patched in this update.
The trend of rising number of vulnerabilities in enterprise applications has started earlier: for instance, in October 2015, Oracle patched 12 vulnerabilities in Oracle EBS, 6 of them were discovered by ERPScan Research interns. It was only 2 months after Oracle’s CSO Mary Ann Davidson told that Oracle doesn’t need any help from external researchers.
But this quarter, Oracle closed 78 vulnerabilities in the core platform of Oracle’s most common Enterprise application - Oracle EBS (E-Business Suite). 2 of them were discovered by the same ERPScan interns. It’s almost a record number of vulnerabilities patched by a company in one product in one update ever, only Adobe’s Flash had more.
All these 78 issues are of great importance because they affect mission-critical business applications based on E-Business Suite platform such as Value Chain Execution suite, Value Chain Planning, Advanced Procurement, Supply Chain Management, Project Portfolio Management, Human Capital Management, Financial Management, Service Management, and Customer Relationship Management. These applications store and process the most valuable corporate data such as HR information, financial information, supplier and customer lists, and others. In case of successful attack, a malicious person can manipulate data about quantity of material resources, change the item prices, misappropriate funds, and modify financial reports, just to name a few.
Oracle Critical Patch Update Analysis
Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.
Oracle vunerabilities by Application type
The affected product families are as follows (listed by the number of closed issues in descending order): Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle Sun Systems Products Suite, Oracle MySQL, Oracle PeopleSoft, Oracle Virtualization, Oracle Retail Applications, Oracle Java SE, Oracle JD Edwards, Oracle Database Server, Oracle Communications Applications, Oracle Supply Chain Products Suite, Oracle GoldenGate, and Oracle iLearning.
Oracle vunerabilities by severity
Oracle Security by business-critical applications
This quarter’s CPU contains patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 53% (144) of all of the patch updates close vulnerabilities in these products. Moreover, 103 (about 71%) of these vulnerabilities can be exploited remotely without authentication.
Oracle E-Business Suite Security
Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
The number of closed issues is noteworthy; this critical patch update contains 78 fixes for Oracle EBS, while the previous quarter’s update contains 12 updates and the average number of closed issues is 9,75 (as for 2015). The highest CVSS score is 6.4.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization. This Critical patch update contains 11 fixes for Oracle PeopleSoft and the previous quarter’s update contains 8. The highest CVSS score of 5.5.
Oracle JD Edwards Security
Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 7 fixes for Oracle JDE with the highest CVSS score of 7.8.
The most critical Oracle vulnerabilities closed by CPU January 2016
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS). This aims to help Oracle customers to fix the most critical issues first. This time, 5 vulnerabilities have received the highest CVSS score of 10.0. Most of them relate to the Oracle Java SE.
- Java SE, Java SE Embedded has CVE-2016-0494 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: 2D). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful exploit of this vulnerability can lead to unauthorized Operating System takeover including arbitrary code execution. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets.
- Java SE, Java SE Embedded has CVE-2015-8126 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful exploit of this vulnerability can lead to unauthorized Operating System takeover including arbitrary code execution. Applies to client deployment of Java only. This vulnerability can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets
- Java SE, Java SE Embedded, JRockit has CVE-2016-0483 (CVSS Base Score: 10.0) - Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: AWT). Supported versions that are affected are Java SE: 6u105, 7u91 and 8u66; Java SE Embedded: 8u65; JRockit: R28.3.8. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.
- Oracle GoldenGate has CVE-2016-0451 (CVSS Base Score: 10.0) - Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate. Supported versions that are affected are 11.2 and 12.1.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via Oracle Golden Gate. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. The CVSS score is 10.0 only on Windows for Database versions prior to 12c.
- Oracle GoldenGate has CVE-2016-0452 (CVSS Base Score: 10.0) - Vulnerability in the Oracle GoldenGate component of Oracle GoldenGate. Supported versions that are affected are 11.2 and 12.1.2. Easily exploitable vulnerability allows successful unauthenticated network attacks via Oracle Golden Gate. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution. The CVSS score is 10.0 only on Windows for Database versions prior to 12c.
Oracle Vulnerabilities that were patched with the help of ERPScan
This quarter, 2 critical vulnerabilities discovered by ERPScan researchers were closed . All of the issues affect Oracle E-Business suite.
By following the links, you can find the details of the security flaws identified by ERPScan researchers.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.
The post Oracle Security Analysis – Oracle Critical Patch Update January 2016 appeared first on ERPScan.