That’s not to say there are no serious bugs left in the databases. Two of the three most critical vulnerabilities fixed in the CPU were in Oracle Database Server and MySQL. The vulnerability in the OJVM component (CVE-2017-10202) in Oracle Database Server 18.104.22.168, 22.214.171.124, 126.96.36.199 has a CVSS base score of 9.9. A low privileged attacker with “Create Session, Create Procedure” privilege who has remote access to the database over multiple protocols can compromise and take over the OJVM.
The third most critical flaw, with a CVSS base score of 9.8, is in the Monitor: General (Apache Struts 2) subcomponent in the MySQL Enterprise Monitor component of MySQL 188.8.131.5258 and earlier, 184.108.40.2061 and earlier, and 220.127.116.112 and earlier. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP over TLS to compromise MySQL Enterprise Monitor.
Vulnerabilities in business applications
So far in 2017, Oracle has patched 878 vulnerabilities across nearly two dozen product suites. Nearly two-thirds of the suites patched in this CPU are business critical applications, including the Oracle Hospitality Suite, Oracle E-Business Suite and Oracle PeopleSoft. Considering the breadth of Oracle’s portfolio, the updates impact a large number of enterprise applications and data, making the process of testing and deploying patches even more of a challenge.
Oracle fixed 120 vulnerabilities in Oracle E-Business Suite, of which 118 are remotely exploitable. Security company Onapsis said the critical information disclosure (CVE-2017-10244) flaw, if exploited, would let attackers download business documents and configuration files without needing valid user credentials. Attackers can find exposed vulnerable Oracle EBS systems using Shodan and send carefully crafted requests using specific parameters to bypass authentication. All the business documents that were attached by users across different EBS modules, regardless of format, can be downloaded using a single HTTP request.
Oracle EBS versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are affected. “This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Onapsis CTO Juan Perez-Etchegoyen.
Considering the suite includes applications that handle CRM, financials, service and supply chain management, and procurement, among other critical business functions, impacted documents include invoices, resumes from potential job candidates, design documents, customer information, financial reports and others containing personal identifiable information (PII).
“Finally, depending on the industry, the exposure of these documents could lead to costly compliance violations with SOX, PCI-DSS, NIST, PII and SPI Privacy Laws, to name a few,” said Matias Mevied, the Oracle Security Specialist at Onapsis.
ERPscan said the number of issues fixed in Oracle PeopleSoft, which includes PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management, during this single update was “alarming.” For comparison, Oracle fixed 44 issues in PeopleSoft in all of 2016. Of the 30 vulnerabilities in PeopleSoft, 20 could be exploited over the network without requiring user credentials. More than 1,000 PeopleSoft applications are exposed to the Internet, making this another juicy target for attackers.
Sign up for CIO Asia eNewsletters.