Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Fixes 237 Vulnerabilities in January Critical Patch Update

    By
    Sean Michael Kerner
    -
    January 18, 2018
    Share
    Facebook
    Twitter
    Linkedin
      Oracle.sign

      Oracle has released its January Critical Patch Update, fixing 237 vulnerabilities across the company’s product portfolio. The update, released on Jan. 16, comes as cryptocurrency miner attackers take aim at vulnerabilities that Oracle patched in its October 2017 CPU.

      The January 2018 CPU addresses myriad security vulnerabilities, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Of particular note, Oracle’s January CPU includes patches for the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) processor vulnerabilities that were disclosed on Jan. 3.

      Other issues patched by Oracle in the January CPU include a pair of critical vulnerabilities (CVE-2018-2655 and CVE-2018-2656) in the Oracle E-Business Suite (EBS) that were reported by security firm Onapsis. The EBS flaws are remotely exploitable without the need for user authentication. According to Onapsis, an attacker could execute an arbitrary query in the database to get or modify private information.

      “We discovered these bugs doing research during a security assessment in one of our customers,” Sebastian Bortnik, head of research at Onapsis, told eWEEK. “We reported the vulnerabilities in mid-2017.”

      Onapsis also reported that a previously patched EBS flaw is vulnerable to a cryptocurrency miner exploit that has already been attacking PeopleSoft deployments. On Jan. 8, ISC SANS reported that attackers were exploiting the CVE-2017-10271 vulnerability, which enables unauthenticated access to a WebLogic Server. According to ISC SANS, the attackers were able to get a cryptocurrency miner running on PeopleSoft servers, which include WebLogic, to mine approximately $250,000 in Monero cryptocurrency. Bortnik noted that the CVE-2017-10271 vulnerability was patched in October 2017.

      “Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” Oracle warned in its January CPU advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.”

      According to Bortnik, it’s also possible that flaws that were patched in the January CPU could be also used for unauthorized cryptocurrency mining attacks. Any bug that enables code execution could be potentially used in a cryptocurrency miner attack, he said. Cryptocurrency attacks against Oracle applications are relatively uncommon and are a new phenomenon, Bortnik added.

      “Attacks against business-critical applications are usually more targeted attacks and less frequent than attacks that make the press,” Bortnik said. “We have worked in the past with companies that have suffered an attack but still haven’t seen one affected to date with cryptocurrency.”

      Java

      As part of the January CPU, Oracle also patched 21 security vulnerabilities in Java, of which 18 are remotely exploitable without authentication. 

      Among the remotely exploitable issues are a pair of deserialization flaws that were discovered by security firm Waratek. Serialization is the process by which a data object is converted from an object to a series of bytes that can be stored and communicated.

      “Waratek researched the JRE (Java Runtime Environment) codebase and has identified two new unbounded memory allocation vulnerabilities in two JRE subcomponents that may be remotely exploitable without authentication,” Waratek stated in an advisory released Jan. 18.

      Waratek noted that Oracle has patched Java serialization methods for multiple vulnerabilities over the course of 2017 and introduced a new serialization filtering mechanism to help mitigate risks.

      “Oracle has tried to address deserialization, which is notoriously difficult to address, over the past year,” James Lee, executive vice president at Waratek, told eWEEK. “It has remained difficult to fix, and this CPU proves that deserialization remains a serious issue.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

      MOST POPULAR ARTICLES

      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×