Oracle has released the first Critical Patch Update scheduled for 2017, and it’s massive. It fixes 270 vulnerabilities across multiple products, and over 100 of them are remotely exploitable by unauthenticated attackers.
The entire list of affected products and components is long, and Oracle advises users of all of them to implement the updates as soon as possible.
“The focus has shifted from Database and Java SE to critical business applications, as we predicted within the last 2 years,” the ERPScan research team noted.
“This quarter, more than 100 patches address vulnerabilities in Oracle E-Business Suite (Oracle’s main business software developed), and 97% of them may be remotely exploitable without authentication.”
“We have been involved in Oracle Business applications research since 2008 and always paid attention to security of EBS, JDE, and PeopleSoft applications. However, they attracted attention only 2 years ago when ERPScan interns discovered multiple vulnerabilities in Oracle EBS. This fact was widely covered by the media, which resulted in the skyrocketing number of the identified vulnerabilities in the solution,” commented Alexander Polyakov, CTO at ERPScan.
“The situation reminds of the state of SAP security several years ago. in 2009, there were a few dozens of bugs, in 2010 as SAP security was in the spotlight, the number of closed issues totaled some 800.”
But the matter is much broader than just SAP and EBS security, he says. “There are dozens of other business applications used in different industries that are waiting for becoming a new hot topic. PeopleSoft, JD Edwards, Microsoft Dynamics are just several examples, and they have already been mentioned in the media.”
Other hefty updates in this CPU include that for Oracle Financial Services Applications (37 vulnerabilities), Oracle MySQL (27), Oracle Fusion Middleware (18), and Oracle Java SE (17, of which 16 can be remotely exploitable). A short overview of the most critical vulnerabilities that have now been closed can be found here.
Cisco Talos has also released details about two patched RCE vulnerabilities researcher Aleksandar Nikolic unearthed in Oracle Outside In Technology (OIT), a set of SDKs that software developers can use to perform various actions against a large number of different file formats.
The number of fixed issues is not the largest an Oracle CPU has ever delivered, but of the last five (since January 2016), four have passed the 240-mark.