Analyzing Oracle Security – Oracle Critical Patch Update July 2017
Today Oracle has released its quarterly patch update for July 2017. It fixes a record number of 308 vulnerabilities.
The main highlights are as follows:
- The number of security issues released every quarter keeps growing. Once again, the vendor issued the highest number of its security patches (308) ever.
- July’s CPU contains 27 vulnerabilities assessed at critical (CVSS base score 9.0-10.0), including one rated the maximum of 10.0.
- This patch update also contains a record-breaking number of PeopleSoft fixes totaling 30. However, not only the number, but the criticality of issues is alarming. 20 of them can be exploited over the network without user credentials. The vulnerability identified by ERPScan researchers allows executing commands on the PeopleSoft server remotely .
Analysis of Oracle Critical Patch Update July 2017
Below you can find an analysis of the vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Security Intelligence teams.
The graph above shows that the vendor released yet another record-breaking set of CPUs. It’s especially notable taking into account that the previous update (April’s one) used to be the largest and first-ever reached a 300-issue mark. It safe to say that a constant trend of growing volume of Oracle CPU is here to stay.
We can assume that researchers’ have changed their mindset and focus on business software, which results in a record-breaking number of patches for one or another component. Of course, in the future, it will improve the level of security. However, now it’s is not the matter of finding bugs, but to release a patch (just imagine, 300 patches mean that at least 3 vulnerabilities are identified every day) and then install it in a timely manner, which is a difficult and monotonous task.
Oracle vulnerabilities by Application type
The patch updates touch a wide range of products. The affected product families are as follows (listed by the number of closed issues in descending order):
|Oracle Fusion Middleware||44|
|Oracle Java SE||32|
|Oracle E-Business Suite||22|
|Oracle Financial Services Applications||20|
|Oracle Communications Applications||11|
|Oracle Sun Systems||11|
|Oracle Supply Chain||10|
|Oracle Primavera Products Suite||9|
|Oracle Enterprise Manager Grid Control||8|
|Oracle Retail Applications||8|
|Oracle Database Server||5|
|Oracle REST Data Services||1|
|Oracle Siebel CRM||1|
|Oracle Policy Automation||1|
|Oracle Support Tools||1|
As you can see from the table, Oracle Hospitality applications (a product family for hotels and restaurants), lead by the number of the closed issues.
Vulnerabilities in Oracle’s business-critical applications
The fact that Oracle has 110,000 applications customers from a wide range of industries, makes it of the utmost importance to apply the released security patches.
This quarter’s CPU contains 82 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle PeopleSoft, E-Business Suite, Siebel CRM, Oracle Financial Services, Oracle Primavera Products Suite. About 53% of them can be exploited remotely without authentication.
Oracle PeopleSoft Security
This Oracle’s Critical Patch Update is characterized by the alarming number of patches for PeopleSoft. This quarter, the vendor released 30 fixes addressing the component (10% of the update). For comparison, last year there were 44 PeopleSoft patches in total.
Speaking about the state of PeopleSoft security, we should take into account not only the number, but the severity of the closed vulnerabilities. The highest CVSS score is 8.3. 20 of these security loopholes can be exploited over the network without requiring user credentials.
To make matters worse, ERPScan research team has recently conducted a custom scan that revealed that more than 1000 PeopleSoft applications were exposed to the Internet, with the majority of them located in the North America.
We should also mention a vulnerability (CVE-2017-10061, CVSS base score 8.3) in the PeopleSoft Enterprise PeopleTools component found by ERPScan researchers. It allows exploiting a directory traversal vulnerability and upload a file, but can be leveraged to execute any command on the server remotely without authentication.
Oracle PeopleSoft combines Supplier Relationship Management, Human Capital Management, Supply Chain Management, and other applications. The software has 6000+ enterprise customers and serves 20 million end users worldwide including more than 800 universities. Over 1000 PeopleSoft systems are available on the Internet putting organizations at risk. According to the latest research from Crowd Research partners, 89% of responders agreed that the number cyber attacks on ERP will significantly grow in the near future. SAP Attacks may cost up to $50m, PeopleSoft is definitely the same weight category.
-commented Alexander Polyakov, CTO at ERPScan.
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages numerous business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
Oracle vulnerabilities identified by ERPScan Research team
This quarter, 6 critical vulnerabilities discovered by ERPScan researchers were closed.
The details of the identified issues are provided below:
- Remotely stopping WebLogic server using T3 protocol (CVSS base score 8.6, CVE-2017-10147). An attacker can use a special T3 request to stop remote server.
- Directory Traversal vulnerability in Integration Gateway (PSIGW) (CVSS base score 8.3, CVE-2017-10061). The up-to-date Oracle PeopleSoft HCM 9.2 suffers from directory traversal vulnerabilities which can be leveraged to potentially get remote command execution on the server. Some well-known impacts of Directory Traversal vulnerability are as follows: an attacker can read content of arbitrary files on the remote server and expose sensitive data, as well as overwrite, delete, or corrupt arbitrary files on the remote server.
- File Upload in Integration Gateway (PSIGW) (CVSS base score 8.3, CVE-2017-10061). An attacker can upload arbitrary text files, which can be leveraged to get remote command execution on the server (for example, an attacker can write his own public RSA key in ~/.ssh/authorized_keys file and get valid SSH session).
- Authentication bypass and directory traversal vulnerability in psft.pt8.cs servlet (CVSS base score 8.3, CVE-2017-10146). An attacker could read content of arbitrary files on the remote server and expose sensitive data.
- Multiple XSS (POST request ) Vulnerabilities in com.peoplesoft.pt.portlet.service.test.TestServlet (PeopleSoft) (CVSS base score 6.1, CVE-2017-10106). Attacker can use special HTTP request to hijack session data of administrators or users of the web resource.
- Anonymous log injection using T3 protocol in PeopleSoft (CVSS base score 5.8, CVE-2017-10148). An attacker can use a special T3 request to inject special data to log files.
The most critical Oracle vulnerabilities closed by CPU July 2017
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows
- JNDI has CVE-2017-10137 (CVSS Base Score: 10.0) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: JNDI). Supported versions that are affected are 10.3.6.0 and 184.108.40.206. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
- OJVM has CVE-2017-10202 (CVSS Base Score: 9.9) – Vulnerability in the OJVM component of Oracle Database Server. Supported versions that are affected are 220.127.116.11, 18.104.22.168 and 22.214.171.124. Easily exploitable vulnerability allows low privileged attacker having Create Session, Create Procedure privilege with network access via multiple protocols to compromise OJVM. While the vulnerability is in OJVM, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of OJVM.
- Elastic Charging Engine (Apache Groovy) has CVE-2015-3253 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Communications BRM component of Oracle Communications Applications (subcomponent: Elastic Charging Engine (Apache Groovy)). Supported versions that are affected are 126.96.36.199.0 and 188.8.131.52.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Communications BRM. Successful attacks of this vulnerability can result in takeover of Oracle Communications BRM.
- BIOS (Intel AMT) has CVE-2017-5689 (CVSS Base Score: 9.8) – Vulnerability in the MICROS PC Workstation 2015 component of Oracle Hospitality Applications (subcomponent: BIOS (Intel AMT)). The supported version that is affected is Prior to O1302h. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise MICROS PC Workstation 2015. Successful attacks of this vulnerability can result in takeover of MICROS PC Workstation 2015.
- Monitor: General (Apache Struts 2) has CVE-2016-4436 (CVSS Base Score: 9.8) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitor: General (Apache Struts 2)). Supported versions that are affected are 184.108.40.20658 and earlier, 220.127.116.111 and earlier, 18.104.22.1682 and earlier and . Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP over TLS to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in takeover of MySQL Enterprise Monitor.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.