Analyzing Oracle Security – Oracle Critical Patch Update April 2017

Today Oracle has released its quarterly patch update for April 2017. It fixes a record number of 299 vulnerabilities.

The main highlights are as follows:

  • The average number of security issues released every quarter keeps growing and this quarter has almost reached 300.
  • 37% of patches address vulnerabilities in Oracle’s industry solutions such as Retail and Financial services applications installed in the largest companies worldwide.
  • The patch update contains 40 vulnerabilities assessed critical (CVSS base score 9.0-10.0), including 25 rated 10.0.
  • One of the most severe vulnerabilities in Oracle E-Business Suite (the main business applications from the vendor) was identified by ERPScan researcher. It allows an attacker to read all key business data from the database remotely without authorization.

This quarter’s CPU contains more security patches than the previous CPU for January 2017 (270)

The graph above shows that the vendor released yet another record-breaking batch of patches. So, less than a year has passed since the previous notorious record of 276 fixes (Oracle CPU – July 2017). It safe to say that there is a constant trend of growing volume of Oracle CPU – the average number of security patches has tripled in the last 5 years (from 91 to 284).

Oracle Critical Patch Update Analysis

Below you can find an analysis of the vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.

Oracle vulnerabilities by Application type

The patch updates touch a wide range of products. The affected product families are as follows (listed by the number of closed issues in descending order):

Product Family Number of patches
Financial Services Applications 47
MySQL39
Retail Applications39
Fusion Middleware31
Sun Systems Products Suite 21
PeopleSoft 16
Virtualization 15
Berkeley DB 14
Support Tools 13
E-Business Suite 11
Communications Applications11
Java SE 8
Utilities Applications7
Primavera Products Suite7
Hospitality Applications 6
Commerce 3
Database Server2
Enterprise Manager Grid Control2
Secure Backup 1
Hyperion 1
Supply Chain Products Suite1
JD Edwards Products 1
Siebel CRM 1
Health Sciences Applications1
Insurance Applications 1

As you can see from the table, Oracle Financial Services Applications leads by the number of security patches, followed by MySQL and Retail Applications.

Vulnerabilities in Oracle industry-specific applications

Oracle provides a set of vertical applications which are intended to efficiently solve difficulties each industry may face. These solutions are used by large enterprises to store data and manage a wide range of business processes. Nonetheless, these applications contain numerous vulnerabilities. If exploited, the security issues may lead to theft of sensitive data or manipulation of business-critical information.

Oracle’s critical patch update for April 2017 is characterized by the record-setting number of fixes addressing vertical applications. Security issues in Financial Services, Retail, Communications, Utilities, Hospitality, Health Sciences, and Insurance applications total 122 and account for 37% of all patches. Moreover, 61% (75) of them are exploitable remotely

“Cybercrime has always been a lucrative business. Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that this option is more profitable. Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target. The good news is that the vendor drew its attention to this critical area before a serious data breach happens. The bad news is that Oracle admins will long work on installing numerous patches.”

– commented Alexander Polyakov, CTO at ERPScan.

Vulnerabilities in Oracle business-critical applications

This quarter’s CPU contains 83 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle PeopleSoft, E-Business Suite, JD Edwards, Siebel CRM, Oracle Financial Services, Oracle Primavera Products Suite. About 60% of them can be exploited remotely without entering any credentials.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 11 fixes for Oracle EBS. The highest CVSS score is 9.1.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 16 fixes for Oracle PeopleSoft with the highest CVSS score of 7.5.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 7 critical vulnerabilities discovered by 5 ERPScan researchers were closed. Moreover, three of them were also acknowledged for contributing to Oracle’s Security-In-Depth program, which means that the information they reported resulted in significant modification of code or documentation in future releases.

The details of the identified issues are provided below:

  • SQL Injection in Oracle E-Business Suite (CVSS base score 9.1, CVE-2017-3549). The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.
  • DoS in Oracle E-Business Suite (CVSS base score 7.5, CVE-2017-3555). Anonymous attacker can send many special requests and cause a denial of service of the whole subsystem.
  • CRLF in Oracle PeopleSoft (CVSS base score 7.4, CVE-2017-3547). Attacker can perform a great variety of attacks that include cross-site scripting, cross-user defacement, positioning of client’s web-cache, hijacking of web pages, defacement, etc.
  • XSS in Oracle E-Business Suite (CVSS base score 7.1, CVE-2017-3557). An attacker can use a special HTTP request to hijack session data of administrators or users of the web application.
  • XXE in Oracle PeopleSoft (CVSS base score 6.5, CVE-2017-3548). A malicious user can modify an XML-based request to include XML content that is then parsed locally.
  • SSRF in Oracle PeopleSoft (CVSS base score 6.5, CVE-2017-3546). An attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks.
  • SSRF in Oracle E-Business Suite (CVSS base score 5.3, CVE-2017-3556). An attacker can bypass authorization checks and download files stored in E-Business Suite.

The most critical Oracle vulnerabilities closed by CPU April 2017

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

  • Kernel RPC has CVE-2017-3623 (CVSS Base Score: 10.0) – CVE-2017-3623 Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). For supported versions that are affected see note. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Solaris.
  • Monitoring: General (Struts 2) has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: General (Struts 2)). Supported versions that are affected are 3.1.6.8003 and earlier, 3.2.1182 and earlier, 3.3.2.1162 and earlier. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. While the vulnerability is in MySQL Enterprise Monitor, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor.
  • Oracle FLEXCUBE Private Banking has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 12.0.1, 12.0.2, 12.0.3 and 12.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. While the vulnerability is in Oracle FLEXCUBE Private Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle FLEXCUBE Private Banking.
  • Oracle Financial Services Asset Liability Management has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Financial Services Asset Liability Management component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3 and 8.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Asset Liability Management. While the vulnerability is in Oracle Financial Services Asset Liability Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Asset Liability Management.
  • Oracle Financial Services Data Integration Hub has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Financial Services Data Integration Hub component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 8.0.1, 8.0.2,8.0.3 and 8.0.4. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Data Integration Hub. While the vulnerability is in Oracle Financial Services Data Integration Hub, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Financial Services Data Integration Hub.

Multiple vulnerabilities in Struts 2

An RCE vulnerability (CVE-2017-5638 CVSS Base Score: 10.0) affects 25 components of Oracle. Details of RCE with an example you can find on the Internet (Metasploit-Framework)

Securing Oracle applications

It is highly recommended that organizations patch all the vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

Do you want more?

Subscribe me to your mailing list