Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Patches 284 Vulnerabilities in January Critical Patch Update

    By
    SEAN MICHAEL KERNER
    -
    January 16, 2019
    Share
    Facebook
    Twitter
    Linkedin
      Oracle

      Oracle released its first Critical Patch Update for 2019 on Jan. 15, providing patches for 284 vulnerabilities.

      The January 2019 CPU addresses security vulnerabilities found across the Oracle software portfolio, including ones affecting database, middleware, Java, PeopleSoft, Siebel and E-Business Suite applications. Thirty-three of the vulnerabilities are identified as being critical with a Common Vulnerabilities Scoring System (CVSS) score of 9.0 or higher. CVSS is a standardized method for helping organizations understand the impact and severity of software vulnerabilities.

      “It’s interesting that there are a bunch of CVSS scores 9 and above in the risk matrices,” Mukul Kumar, chief information security officer and vice president of Cyber Practice at Cavirin, told eWEEK. “This demonstrates fertile hunting ground for hackers.”  

      Oracle updates its applications for security vulnerabilities in a quarterly cycle known as the Critical Patch Update. The January 2019 CPU marks a decline in the number of vulnerabilities patched from the previous CPU in October 2018, where Oracle patched 301 vulnerabilities. The 2019 patch count, however, is higher on a year-over-year basis, as Oracle patched 237 vulnerabilities in January 2018.

      Among the most impactful flaws patched this quarter, according to an analysis by ERP security firm ERPscan, is an issue in the Jython programming language that provides an implementation of the Python programming language in Java. Jython is used in multiple Oracle applications, including the Oracle Banking Platform.

      “The easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Banking Platform,” ERPscan wrote in its analysis. “Successful attacks of this vulnerability can result in the takeover of Oracle Banking Platform.” 

      Oracle Fusion Middleware

      Overall, Oracle Fusion Middleware is getting the most patches of any Oracle product in the January 2019 CPU. A total of 62 vulnerabilities are being patched, with 57 of the issues identified by Oracle as being remotely exploitable without authentication. Oracle Fusion Middleware components are also used as a foundation in multiple areas of Oracle’s portfolio. Additionally, Fusion makes use of other Oracle components including the company’s namesake database. Oracle Database, however, is only tagged by Oracle for three new security fixes in the January CPU, and none of the issues is remotely exploitable without authentication.

      Oracle’s MySQL database, however, is not as fortunate as the Oracle Database and is getting patched for 30 issues, of which only three are remotely exploitable without authentication. Oracle gained the MySQL database as part of the acquisition of Sun Microsystems, which was completed in January 2010 for $7.4 billion.

      Java

      Along with MySQL, Oracle also gained Java as part of the Sun acquisition. There was a time when Java was heavily scrutinized and often identified as a leading component in the Oracle portfolio for software vulnerability disclosures, but that’s not the case in 2019.

      For the January 2019 CPU, Oracle is only patching five new security issues in Java, though all of the issues are remotely exploitable without authentication. That said, Kumar noted that with the Java patches this quarter, there aren’t any that have a CVSS score over 6.1 

      While the total number of patches in Java are low, there are still risks, according to John Matthew Holt, founder and chief technology officer at Waratek.

       “This CPU could risk breaking binary compatibility for applications that rely on certain cypher configurations,” Holt told eWEEK. “A reminder that CPU updates present significant risk to application operability, which is why we see prolonged/unpatched server-side applications.”

      Holt added that Java patching overall is in need of an overhaul as compatibility issues are resulting in millions of exposed server-side applications—especially in enterprise organizations.

      “These applications are not being patched, and in some legacy systems they simply can’t be patched, so it’s only a matter of time before we see another Equifax headline,” he said.

      Patching

      The challenge of patching Oracle enterprise applications is also one that security firm Onapsis is concerned about. Mike Miller, senior security architect at Onapsis, commented that when considering enterprise software, especially ERP systems such as the Oracle E-Business Suite, applying security patches is not always an easy process.

      Miller said that one of the difficulties, while it might sound easy, is identifying what patches to apply. For Oracle E-Business Suite, security patches are cumulative and a single security patch is released by Oracle for the entire E-Business Suite, not for individual modules.

      “While this might be straightforward, when you apply the latest security patch for Oracle E-Business Suite, you cannot forget about the supporting technology,” Miller told eWEEK. “Applying security patches to the database does not do anything for E-Business Suite, nor does applying E-Business Suite security patches do anything for WebLogic. Identifying, testing and applying the full set of patches required to secure Oracle E-Business Suite is a challenge.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×