Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Patches 299 Vulnerabilities in April Critical Patch Update

    By
    SEAN MICHAEL KERNER
    -
    April 19, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Oracle patches

      Oracle released its’ largest security update ever on April 18, providing fixes for 299 vulnerabilities across Oracle’s software portfolio. 

      The previous record for Oracle vulnerabilities fixed in a single update was 276 patches in the July 2016 critical patch update.  Oracle patched 270 vulnerabilities in its January 2017 update, bringing the total number of vulnerabilities patched this year to 569.

      While the total number of vulnerabilities patched this month is somewhat surprising, there are other surprises as well.

      “The fact that we’re still addressing vulnerabilities associated with Struts v1 and Apache Commons years after the issues were first raised is surprising and troubling,” John Matthew Holt, Waratek CTO, told eWEEK. “The Struts 2 patch is less surprising since it was just announced in March 2017, but no less troubling as it points to the continuing issues associated with third party software components.”

      Alexander Polyakov, CTO at ERPScan also highlighted the Apache Struts CVE-2017-5638 vulnerability patch as a cause for concern. The flaw is a remote code execution vulnerability in the Apache Struts web development framework, which affects 25 components of Oracle including 19 sub components of Oracle Financial Services Applications. The Apache Struts 2 vulnerability was actively being exploited in March, days after the initial disclosure of the flaw by the open-source project.

      ERPScan reported 7 of the 299 vulnerabilities that have now been fixed by Oracle. The most serious issue is a SQL Injection flaw in Oracle E-Business Suite identified as CVE-2017-3549.

      “The code comprises an SQL statement containing strings that can be altered by an attacker,” Polyakov told eWEEK. “The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.”

      Another issue reported by ERPScan is CVE-2017-3547 which is a Carriage Return Line Feed (CRLF) vulnerability in Oracle PeopleSoft. Polyakov said that the vulnerability could enable an  attacker to perform a variety of attacks including cross-site scripting, hijacking of web pages, and defacement.

      Oracle Security 

      With the large number of vulnerabilities being patched by Oracle every quarter, Polyakov suggests that it might be time for Oracle to move to a more rapid monthly release cycle, to help reduce the patch load.

      “The enormous number of patches just means that security researchers set their eyes on these applications,” Polyakov said. “The point is that it will enhance the security in the future.”

      Holt’s view is that Oracle’s security team is doing the best it can, but like all cybersecurity teams, they struggle to keep up with the wave after wave of vulnerabilities that are being discovered.  

      “Addressing years-old vulnerabilities in current patches is proof that we are nearing a crisis point where our ability as a profession to respond in a timely and effective manner is at risk,” Holt said. “We continue to rely primarily on traditional approaches that can’t keep up with the pace and volume of vulnerabilities and that is not a sustainable model.” 

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×