No company has ever patched as many vulnerabilities in a single patch update as Oracle did this month. Oracle released its July Critical Patch Update (CPU) this week, fixing a staggering 308 vulnerabilities.
The previous record high for Oracle was April 2017, when the company fixed 299 vulnerabilities across its software portfolio. To date in 2017, Oracle’s quarterly CPU has patched a total of 878 vulnerabilities.
Not all vulnerabilities are equal, with the most severe typically being those that are remotely exploited without authentication. In the July CPU, there are a total of 165 remotely exploitable vulnerabilities across the Oracle software portfolio. Looking at vulnerability ratings with the Common Vulnerabilities Scoring System (CVSS), there are 27 issues with a rating between 9.0 and 10.0.
One of those flaws—the CVE-2017-10137 vulnerability in the Oracle WebLogic server’s Java Naming and Directory Interface (JNDI) component—was rated at the highest 10.0 level.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server,” security firm ERPscan wrote in its analysis of the flaw. “While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.”
Perhaps even more dangerous, however, are known vulnerabilities that Oracle has already patched in prior CPU releases but that customers have not yet patched.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” Oracle stated in it July CPU advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches.
“Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” Oracle added.
Oracle’s E-Business Suite (EBS) received 22 patched in the July CPU, including 18 that can be remotely exploited without authentication.
Among the flaws is a highly critical one in EBS 12.2 that security firm Onapsis describes as an arbitrary documents download vulnerability. Onapsis explains that anyone that is able to connect to the web server (not requiring any access credentials) and using a single HTTP request will be able to access any document stored in the database.
The types of documents at risk could include invoices, purchase orders, financial reports and other forms of personally identifiable information (PII). Onapsis has already identified more than 1,000 connected EBS systems that are potentially exposed to the vulnerability.
In total, Oracle is patching 11 EBS components this month for flaws reported by Onapsis. JP Perez-Etchegoyen, CTO of Onapsis, said all of the issues were reported to Oracle in April, so Oracle patched them in the CPU right after the report.
“In general, business-critical applications providers have improved in the way they deal with reported bugs, especially in the time to patch,” Perez-Etchegoyen told eWEEK. “In the past years, we have seen how they reduce the amount of time they spend to patch bugs.
“Despite that, Oracle is still working on the solution of other vulnerabilities that we have reported and we do not talk about, due to our responsible disclosure policies,” he added.
The number of reported vulnerabilities in EBS has been rising in recent years. Perez-Etchegoyen said he believes the issue is not something specifically affecting EBS, but rather a problem that is shared across the whole ERP and business-critical applications landscape.
“These kinds of applications are extremely big, heavily customized, extremely complex, interconnected and have been developed and maintained for years,” Perez-Etchegoyen said. “So to improve security is a process that we are trying to go along with, transforming not only the way vendors treat security but also the way customers take care of cyber-security in business-critical applications.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.