Oracle released its’ largest security update ever on April 18, providing fixes for 299 vulnerabilities across Oracle’s software portfolio.
The previous record for Oracle vulnerabilities fixed in a single update was 276 patches in the July 2016 critical patch update. Oracle patched 270 vulnerabilities in its January 2017 update, bringing the total number of vulnerabilities patched this year to 569.
While the total number of vulnerabilities patched this month is somewhat surprising, there are other surprises as well.
“The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is surprising and troubling,” John Matthew Holt, Waratek CTO, told eWEEK. “The Struts 2 patch is less surprising since it was just announced in March 2017, but no less troubling as it points to the continuing issues associated with third party software components.”
Alexander Polyakov, CTO at ERPScan also highlighted the Apache Struts CVE-2017-5638 vulnerability patch as a cause for concern. The flaw is a remote code execution vulnerability in the Apache Struts web development framework, which affects 25 components of Oracle including 19 sub components of Oracle Financial Services Applications. The Apache Struts 2 vulnerability was actively being exploited in March, days after the initial disclosure of the flaw by the open-source project.
ERPScan reported 7 of the 299 vulnerabilities that have now been fixed by Oracle. The most serious issue is a SQL Injection flaw in Oracle E-Business Suite identified as CVE-2017-3549.
“The code comprises an SQL statement containing strings that can be altered by an attacker,” Polyakov told eWEEK. “The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.”
Another issue reported by ERPScan is CVE-2017-3547 which is a Carriage Return Line Feed (CRLF) vulnerability in Oracle PeopleSoft. Polyakov said that the vulnerability could enable an attacker to perform a variety of attacks including cross-site scripting, hijacking of web pages, and defacement.
With the large number of vulnerabilities being patched by Oracle every quarter, Polyakov suggests that it might be time for Oracle to move to a more rapid monthly release cycle, to help reduce the patch load.
“The enormous number of patches just means that security researchers set their eyes on these applications,” Polyakov said. “The point is that it will enhance the security in the future.”
Holt’s view is that Oracle’s security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the wave after wave of vulnerabilities that are being discovered.
“Addressing years-old vulnerabilities in current patches is proof that we are nearing a crisis point where our ability as a profession to respond in a timely and effective manner is at risk,” Holt said. “We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities and that is not a sustainable model.”