Oracle released its first Critical Patch Update for 2019 on Jan. 15, providing patches for 284 vulnerabilities.
The January 2019 CPU addresses security vulnerabilities found across the Oracle software portfolio, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Thirty-three of the vulnerabilities are identified as being critical with a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or higher. CVSS is a standardized method for helping organizations understand the impact and severity of software vulnerabilities.
"It's interesting that there are a bunch of CVSS scores 9 and above in the risk matrices," Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin, told eWEEK. "This demonstrates fertile hunting ground for hackers."
Oracle updates its applications for security vulnerabilities in a quarterly cycle known as the Critical Patch Update. The January 2019 CPU marks a decline in the number of vulnerabilities patched from the previous CPU in October 2018, where Oracle patched 301 vulnerabilities. The 2019 patch count, however, is higher on a year-over-year basis, as Oracle patched 237 vulnerabilities in January 2018.
Among the most impactful flaws patched this quarter, according to an analysis by ERP security firm ERPscan, is an issue in the Jython programming language that provides an implementation of the Python programming language in Java. Jython is used in multiple Oracle applications, including the Oracle Banking Platform.
"The easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Banking Platform," ERPscan wrote in its analysis. "Successful attacks of this vulnerability can result in the takeover of Oracle Banking Platform."
Oracle Fusion Middleware
Overall, Oracle Fusion Middleware is getting the most patches of any Oracle product in the January 2019 CPU. A total of 62 vulnerabilities are being patched, with 57 of the issues identified by Oracle as being remotely exploitable without authentication. Oracle Fusion Middleware components are also used as a foundation in multiple areas of Oracle's portfolio. Additionally, Fusion makes use of other Oracle components including the company's namesake database. Oracle Database, however, is only tagged by Oracle for three new security fixes in the January CPU, and none of the issues is remotely exploitable without authentication.
Oracle's MySQL database, however, is not as fortunate as the Oracle Database and is getting patched for 30 issues, of which only three are remotely exploitable without authentication. Oracle gained the MySQL database as part of the acquisition of Sun Microsystems, which was completed in January 2010 for $7.4 billion.
Along with MySQL, Oracle also gained Java as part of the Sun acquisition. There was a time when Java was heavily scrutinized and often identified as a leading component in the Oracle portfolio for software vulnerability disclosures, but that's not the case in 2019.
For the January 2019 CPU, Oracle is only patching five new security issues in Java, though all of the issues are remotely exploitable without authentication. That said, Kumar noted that with the Java patches this quarter, there aren't any that have a CVSS score over 6.1
While the total number of patches in Java are low, there are still risks, according to John Matthew Holt, founder and chief technology officer at Waratek.
"This CPU could risk breaking binary compatibility for applications that rely on certain cypher configurations," Holt told eWEEK. "A reminder that CPU updates present significant risk to application operability, which is why we see prolonged/unpatched server-side applications."
Holt added that Java patching overall is in need of an overhaul as compatibility issues are resulting in millions of exposed server-side applications—especially in enterprise organizations.
"These applications are not being patched, and in some legacy systems they simply can't be patched, so it's only a matter of time before we see another Equifax headline," he said.
The challenge of patching Oracle enterprise applications is also one that security firm Onapsis is concerned about. Mike Miller, senior security architect at Onapsis, commented that when considering enterprise software, especially ERP systems such as the Oracle E-Business Suite, applying security patches is not always an easy process.
Miller said that one of the difficulties, while it might sound easy, is identifying what patches to apply. For Oracle E-Business Suite, security patches are cumulative and a single security patch is released by Oracle for the entire E-Business Suite, not for individual modules.
"While this might be straightforward, when you apply the latest security patch for Oracle E-Business Suite, you cannot forget about the supporting technology," Miller told eWEEK. "Applying security patches to the database does not do anything for E-Business Suite, nor does applying E-Business Suite security patches do anything for WebLogic. Identifying, testing and applying the full set of patches required to secure Oracle E-Business Suite is a challenge."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.