Today Oracle has released its quarterly patch update for July 2016. It fixes a total of 276 vulnerabilities. It’s a record number of security issues patched by Oracle in an update ever. Retail Cyber Security issues presents the most important part of this fix together with Healthcare
3 main highlights are as follows:
- Oracle once again released the record number of fixes in its history – 276 in total (almost 2.5 times more than the average number). The trend demonstrates that the number of identified and closed issues in Oracle products keeps growing.
- Most of the closed issues belong to Oracle Fusion Middleware and Oracle Sun Systems Products Suite. 19 of all the fixed issues were rated 9.8.
- 36 patches address vulnerabilities in industry-specific solutions including 10, which can be exploited remotely without authentication and pose a significant risk to companies. Among them, there are 16 vulnerabilities affecting the retail industry.
Comparing with the previous CPU for April 2016 that closed 136 security vulnerabilities, this one addresses twice as many security issues. Furthermore, the number is almost 2,5 times more than the average (114).
It was just this January when Oracle released a record-breaking number of 248 security patches. However, in six months Oracle outdoes itself by fixing 276 vulnerabilities in a set of its products, more than they had ever done in any previous CPU.
Oracle systems are complex and multi-component, not speaking about numerous customizations every company usually has. So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches.
– commented Alexander Polyakov, CTO at ERPScan.
Oracle Critical Patch Update Analysis
Below you can find an analysis of the most significant vulnerabilities closed by this Critical Patch Update provided by ERPScan Research and Oracle Security Intelligence teams.
Oracle vulnerabilities by Application type
The affected product families are as follows (listed by the number of closed issues in descending order):
|Product family||Number of patches|
|Oracle Fusion Middlewar||40|
|Oracle Sun Systems Products Suite||34|
|Oracle Supply Chain Products Suite||25|
|Oracle E-Business Suite||23|
|Oracle Siebel CRM||16|
|Oracle Communications Applications||16|
|Oracle Retail Applications||16|
|Oracle Primavera Products Suite||15|
|Oracle Java SE||13|
|Enterprise Manager Grid Control||10|
|Oracle Database Server||9|
|Oracle Insurance Applications||8|
|Oracle Health Sciences Applications||5|
|Oracle Financial Services Applications||4|
|Oracle Policy Automation||4|
|Oracle Utilities Applications||3|
|Oracle JD Edwards||1|
Oracle vunerabilities in business-critical applications
This quarter’s CPU contains patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 43% (121) of all of the patch updates close vulnerabilities in these products. Moreover, about 71% of these vulnerabilities can be exploited remotely without authentication.
Oracle E-Business Suite Security
Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This critical patch update contains 23 fixes for Oracle EBS. The highest CVSS score is 9.1.
Oracle PeopleSoft Security
Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 7 fixes for Oracle PeopleSoft and the previous quarter’s update contains 8. The highest CVSS score of 8.2.
Oracle JD Edwards Security
Oracle JDE is a set of various business applications. As it manages a wide range of business processes and stores key data, a successful attack against JD Edwards allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This Critical patch update contains 1 fixes for Oracle JDE with the CVSS score of 5.9.
Oracle Siebel CRM Security
Oracle Siebel CRM is a Customer Relationship Management solution. It delivers transactional, analytical, and engagement features. A successful attack against it can result in gaining control over tenders and affect relationship with clients.
This Critical patch update contains 16 fixes for Oracle Siebel CRM with the CVSS base score of 8.1.
Oracle vulnerabilities by industry
One of the features of this critical patch update is a significant number of vulnerabilities in applications specifically designed to special industry requirements. 36 security issues were fixed in Retail, Insurance, Health, Financial, and Utility solutions.
Retail Cyber security issues
There are 4 remotely exploitable vulnerabilities without authentication in Oracle for Retail components. Each of them has almost highest CVSS score of 9.8.
These issues were identified in such application component as Integration Bus, Order Broker, Service Backbone, and Inventory management. As it can be seen from their names, these components play a vital role in Retail infrastructure and provide integration between other Oracle retail components and the company infrastructure including other mission-critical applications. Attacks on these applications can disrupt business processes (such as payment or supply chain) in a retail company . Also, an attacker can exploit these issues to control all data transferring between components and, thus, commit fraud by changing some data during transfer.
Healthcare cybersecurity issues
Another remotely exploitable issue was identified in Oracle Health Sciences Clinical Development Center application that provides a centralized environment for storing and integrating all clinical data as well as a controlled solution for automating and managing analysis and reporting. Such information as electronic data capture (EDC), electronic patient reported outcomes (ePRO), labs, trial supply information, images, and other data sources can be found in this system.
Oracle vulnerabilities by severity
The most critical Oracle vulnerabilities closed by CPU July 2016
Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.
The most critical issues closed by the CPU are as follows
- Oracle WebLogic Server has CVE-2016-3510 (CVSS Base Score: 9.8) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS Core Components). Supported versions that are affected are 10.3.6.0, 18.104.22.168 and 22.214.171.124. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
- Oracle Directory Server Enterprise Edition has CVE-2015-7182 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Directory Server Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Admin Server). Supported versions that are affected are 7.0 and 126.96.36.199.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Directory Server Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition.
- Hyperion Financial Reporting has CVE-2016-3493 (CVSS Base Score: 9.8) – Vulnerability in the Hyperion Financial Reporting component of Oracle Hyperion (subcomponent: Security Models). The supported version that is affected is 188.8.131.52. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Hyperion Financial Reporting. Successful attacks of this vulnerability can result in takeover of Hyperion Financial Reporting.
- Oracle Health Sciences Clinical Development Center has CVE-2015-3253 (CVSS Base Score: 9.8 ) – Vulnerability in the Oracle Health Sciences Clinical Development Center component of Oracle Health Sciences Applications (subcomponent: Installation and configuration). Supported versions that are affected are 3.1.1.x and 3.1.2.x. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Health Sciences Clinical Development Center. Successful attacks of this vulnerability can result in takeover of Oracle Health Sciences Clinical Development Center.
- Oracle Secure Global Desktop has CVE-2016-3613 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Secure Global Desktop component of Oracle Virtualization (subcomponent: OpenSSL). Supported versions that are affected are 4.63, 4.71 and 5.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via SSL/TLS to compromise Oracle Secure Global Desktop. Successful attacks of this vulnerability can result in takeover of Oracle Secure Global Desktop.
Securing Oracle applications
It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.