Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
eWEEK.com
Search
eWEEK.com
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Oracle Patches 308 Vulnerabilities in July Critical Patch Update

    By
    SEAN MICHAEL KERNER
    -
    July 21, 2017
    Share
    Facebook
    Twitter
    Linkedin
      Oracle patches

      No company has ever patched as many vulnerabilities in a single patch update as Oracle did this month. Oracle released its July Critical Patch Update (CPU) this week, fixing a staggering 308 vulnerabilities. 

      The previous record high for Oracle was April 2017, when the company fixed 299 vulnerabilities across its software portfolio. To date in 2017, Oracle’s quarterly CPU has patched a total of 878 vulnerabilities.

      Not all vulnerabilities are equal, with the most severe typically being those that are remotely exploited without authentication. In the July CPU, there are a total of 165 remotely exploitable vulnerabilities across the Oracle software portfolio. Looking at vulnerability ratings with the Common Vulnerabilities Scoring System (CVSS), there are 27 issues with a rating between 9.0 and 10.0.

      One of those flaws—the CVE-2017-10137 vulnerability in the Oracle WebLogic server’s Java Naming and Directory Interface (JNDI) component—was rated at the highest 10.0 level.

      “Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server,” security firm ERPscan wrote in its analysis of the flaw. “While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.”

      Perhaps even more dangerous, however, are known vulnerabilities that Oracle has already patched in prior CPU releases but that customers have not yet patched.

      “Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” Oracle stated in it July CPU advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.

      “Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” Oracle added.

      EBS

      Oracle’s E-Business Suite (EBS) received 22 patched in the July CPU, including 18 that can be remotely exploited without authentication.

      Among the flaws is a highly critical one in EBS 12.2 that security firm Onapsis describes as an arbitrary documents download vulnerability. Onapsis explains that anyone that is able to connect to the web server (not requiring any access credentials) and using a single HTTP request will be able to access any document stored in the database.

      The types of documents at risk could include invoices, purchase orders, financial reports and other forms of personally identifiable information (PII). Onapsis has already identified more than 1,000 connected EBS systems that are potentially exposed to the vulnerability.

      In total, Oracle is patching 11 EBS components this month for flaws reported by Onapsis. JP Perez-Etchegoyen, CTO of Onapsis, said all of the issues were reported to Oracle in April, so Oracle patched them in the CPU right after the report. 

      “In general, business-critical applications providers have improved in the way they deal with reported bugs, especially in the time to patch,” Perez-Etchegoyen told eWEEK. “In the past years, we have seen how they reduce the amount of time they spend to patch bugs. 

      “Despite that, Oracle is still working on the solution of other vulnerabilities that we have reported and we do not talk about, due to our responsible disclosure policies,” he added.

      The number of reported vulnerabilities in EBS has been rising in recent years. Perez-Etchegoyen said he believes the issue is not something specifically affecting EBS, but rather a problem that is shared across the whole ERP and business-critical applications landscape. 

      “These kinds of applications are extremely big, heavily customized, extremely complex, interconnected and have been developed and maintained for years,” Perez-Etchegoyen said. “So to improve security is a process that we are trying to go along with, transforming not only the way vendors treat security but also the way customers take care of cyber-security in business-critical applications.”

      Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      CHRIS PREIMESBERGER - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      CHRIS PREIMESBERGER - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      EWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      ZEUS KERRAVALA - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      WAYNE RASH - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Info

      © 2020 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×