Oracle fixes 252 vulnerabilities in October 2017 Critical Patch Update

Oracle has released its Critical Patch Update (CPU) for October 2017, addressing 252 vulnerabilities across the wide multitude of its products.

Compared to the July 2017 CPU, this one addresses fewer security issues, but the number of yearly Oracle patches keeps rising:

Oracle CPU October 2017

Delving into the October 2017 CPU

This CPU contains 155 patches for vulnerabilities affecting a number of Oracle business applications: PeopleSoft, E-Business Suite, Fusion Middleware, Hospitality Applications, Retail, Hyperion, Siebel CRM, Supply Chain, JD Edwards, etc. According to ERPScan, about 71% of them can be exploited remotely without entering credentials.

This patch update also contains a alarming number of PeopleSoft fixes, and many of them are critical, as they can be exploited over the network without entering user credentials.

Among these is a highly critical (CVSS 9.8) RCE vulnerability in PeopleSoft, which can enable a malicious user to executing commands on the PeopleSoft server remotely and gain full remote access to all its data.

“Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization,” the company explained.

This information can include data such as SSNs, bank account numbers, and other personal information subject to GDPR compliance.

“Over 1000 PeopleSoft systems are available on the Internet simply by Google or Shodan scanning therefore putting organizations at risk because of the recent vulns. According to the latest survey from Crowd Research partners, 89% of responders have agreed that the number cyber attacks on ERP will significantly grow in the near future and may cost up to $50 million” says Alexander Polyakov, CTO at ERPScan.

Oracle Hospitality Applications received a total of 37 patches. Of these, three plug critical vulnerabilities in Oracle Hospitality Reporting and Analytics (CVE-2017-10402, CVE-2017-10405, CVE-2017-10404), which could lead to a complete takeover of the application and access to all data. The first two of these are exploitable over HTTP by an unauthenticated attacker with network access.

This quarter’s CPU also contains fixes for 22 Java SE vulnerabilities, more than 90% of which can be exploited remotely without authentication. The majority of them can be easily exploited (i.e. their attack complexity is low), and the most severe of these has a CVSS Base Score of 9.6.

Implementing patches

“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay,” the company noted.

Apostolos Giannakidis, security architect at application security outfit Waratek, says that since the July 2017 Oracle CPU, the world has been rocked by Equifax, KRACK and ROCA, giving new urgency to quickly patching these emerging vulnerabilities.

“While smaller than recent CPUs, there are very important updates included in this critical patch such as patches that fix the serialization flaws. And, even though it is always important pay attention to configuration issues, this CPU is not backwards compatible for specific cryptographic classes. If security teams are not mindful, applying the CPU risks breaking the application.”

Ideally, organizations should apply the CPU in QA and UAT environments before deploying it into production.

The next Oracle CPU is scheduled for 16 January 2018.