Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Patches 299 Vulnerabilities in April Critical Patch Update

    By
    Sean Michael Kerner
    -
    April 19, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Oracle patches

      Oracle released its’ largest security update ever on April 18, providing fixes for 299 vulnerabilities across Oracle’s software portfolio. 

      The previous record for Oracle vulnerabilities fixed in a single update was 276 patches in the July 2016 critical patch update.  Oracle patched 270 vulnerabilities in its January 2017 update, bringing the total number of vulnerabilities patched this year to 569.

      While the total number of vulnerabilities patched this month is somewhat surprising, there are other surprises as well.

      “The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is surprising and troubling,” John Matthew Holt, Waratek CTO, told eWEEK. “The Struts 2 patch is less surprising since it was just announced in March 2017, but no less troubling as it points to the continuing issues associated with third party software components.”

      Alexander Polyakov, CTO at ERPScan also highlighted the Apache Struts CVE-2017-5638 vulnerability patch as a cause for concern. The flaw is a remote code execution vulnerability in the Apache Struts web development framework, which affects 25 components of Oracle including 19 sub components of Oracle Financial Services Applications. The Apache Struts 2 vulnerability was actively being exploited in March, days after the initial disclosure of the flaw by the open-source project.

      ERPScan reported 7 of the 299 vulnerabilities that have now been fixed by Oracle. The most serious issue is a SQL Injection flaw in Oracle E-Business Suite identified as CVE-2017-3549.

      “The code comprises an SQL statement containing strings that can be altered by an attacker,” Polyakov told eWEEK. “The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.”

      Another issue reported by ERPScan is CVE-2017-3547 which is a Carriage Return Line Feed (CRLF) vulnerability in Oracle PeopleSoft. Polyakov said that the vulnerability could enable an  attacker to perform a variety of attacks including cross-site scripting, hijacking of web pages, and defacement.

      Oracle Security 

      With the large number of vulnerabilities being patched by Oracle every quarter, Polyakov suggests that it might be time for Oracle to move to a more rapid monthly release cycle, to help reduce the patch load.

      “The enormous number of patches just means that security researchers set their eyes on these applications,” Polyakov said. “The point is that it will enhance the security in the future.”

      Holt’s view is that Oracle’s security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the wave after wave of vulnerabilities that are being discovered.  

      “Addressing years-old vulnerabilities in current patches is proof that we are nearing a crisis point where our ability as a profession to respond in a timely and effective manner is at risk,” Holt said. “We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities and that is not a sustainable model.” 

      Sean Michael Kerner
      Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×