Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle’s monster update emphasizes flaws in critical business applications

Fahmida Y. Rashid | July 24, 2017
Oracle hasn’t been “just” a database company in a long time, and nowhere is that more evident than in its quarterly critical patch update release, where the bulk of the fixes are in business applications like PeopleSoft and E-Business Suite.

oracle

Recent global malware outbreaks WannaCry and NotPetya exposed how much enterprises struggle with patching. Staying current with the latest security patches involves testing, preparing and deploying the updates and enterprises are lagging behind as each product has its own update schedule.

It is easy to wag fingers about how it shouldn't take IT more than 60 days to deploy an update, but consider the current workload. On top of the regularly scheduled monthly updates from Microsoft and Adobe, some organizations may need to deal with the latest Cisco patches. Organizations are still working on closing the SMB vulnerability, especially the out-of-network updates for Windows XP and other unsupported systems. Enterprises with iOS devices need to prioritize the latest update to address a serious security flaw in its WiFi chip.

Then there is Oracle’s gargantuan Critical Patch Update (CPU), which fixed a whopping 308 vulnerabilities across its entire product portfolio. Over half, or 168, of the fixes address vulnerabilities that could be remotely exploited without needing any kind of user authentication.

“For the second time this year, the latest Oracle patch release has reinforced the accelerating challenges cybersecurity teams face in keeping pace with software flaws and the malicious hackers that exploit them,” said John Matthew Holy, CTO of Waratek.

 

Databases aren’t the focus

On the July CPU, 27 of the vulnerabilities fixed would be rated as critical, as they have a CVSS base score between 9.0 and 10.0. The most critical vulnerability, with the CVSS score of 10.0 was in the Oracle WebLogic Server component of Oracle Fusion Middleware (the JNDI subcomponent). An unauthenticated attacker with network access via HTTP could compromise and take over Oracle WebLogic Server 10.3.6.0 and 12.1.3.0. “While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products,” ERPscan said in its analysis.

Security holes in Java tend to have wide-ranging impact, as they can pop up in other applications. The latest CPU fixed 32 vulnerabilities in Java, of which 28 were remotely exploitable without authentication. Three Java SE, Java SE Embedded and JRockit vulnerabilities were considered critical, with a CVSS base score of at least 9.0. All affect multiple versions of the respective software.

Oracle may be perceived as the “database company,” but its flagship product Oracle Database Server hasn’t been a major focus of the CPU in years, and that remains the case even with this monster update. The giant released only five patches for Oracle Database Server, three of which are remotely exploitable in the Oracle Secure Backup and Oracle Big Data Graph components included with the server. The CPU had 30 patches for MySQL, the database Oracle acquired as part of its 2009 Sun acquisition, of which nine were remotely exploitable without authentication.

 

1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.