Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Analyzing Oracle Security: Oracle Critical Patch Update for July 2018

DZone's Guide to

Analyzing Oracle Security: Oracle Critical Patch Update for July 2018

Check out this post on the critical patch updates by Oracle for July 2018. Click here to learn more about changes to Oracle security.

· Security Zone ·
Free Resource

Protect your applications against today's increasingly sophisticated threat landscape.

Today, Oracle has released its quarterly patch update for July 2018. It fixes a record number of 334 vulnerabilities.

The main highlights are as follows:

  • The average number of security issues released every quarter keeps growing this year.
  • CPU for July contains 203 vulnerabilities in business-critical applications. It’s 61 percent of vulnerabilities found in Oracle products.
  • The most vulnerable application is Oracle Financial Services Applications, totaling 56. The criticality of issues is also alarming since 21 of them can be exploited over the network without entering user credentials.
  • This CPU contains 61 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most serious vulnerabilities of the current CPU with a CVSS score of 9.8 are in multiple Oracle’s products, including Financial Services, Fusion Middleware, PeopleSoft, EBS, Retail Applications, etc.
  • Two of the most severe vulnerabilities were identified by ERPScan researchers in the Oracle Fusion Middleware (CVE-2018-2894 and CVE-2018-2943).
  • Oracle fixed 17 vulnerabilities that were found by ERPScan researchers but decided not to mention ERPScan’s contribution and did not give a credit since ERPScan were put on a Treasury sanctions list.

Analysis of Oracle Critical Patch Update for July 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

This quarter’s CPU for July 2018 contains more security patches than the previous CPU for April 2018 (see a bar chart).

The graph above shows that the vendor released yet another record-breaking batch of patches. It is safe to say that there is a constant trend of growing set of Oracle CPU. The average number of security patches has tripled in the last 4 years (from 113 to 334).

Oracle Vulnerabilities by Application Type

The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues.

Product Family Number of patches
Financial Services Applications 56
Fusion Middleware 44
Retail Applications 31
MySQL 31
Hospitality Applications 24
Sun Systems Products Suite 22
PeopleSoft 15
Enterprise Manager Products Suite 16
E-Business Suite 14
Communications Applications 14
Virtualization 12
Construction and Engineering Suite 11
JD Edwards Products 10
Java SE 8
Supply Chain Products Suite 8
Utilities Applications 4
Database Server 4
Policy Automation 3
Hyperion 2
Insurance Applications 2
Siebel CRM 1
iLearning 1
Support Tools 1

As seen from the table and illustrated in a pie chart, Financial Services Applications lead by the number of the closed issues. The vulnerabilities in Fusion Middleware keep raising and their number is ranked second in July’s CPU.

Vulnerabilities in Oracle’s Business-Critical Applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 203 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain.

About 65 percent of them can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions, such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 15 fixes for Oracle PeopleSoft with the highest CVSS score of 9.8.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 14 fixes for Oracle EBS. The highest CVSS score is 8.2.

Oracle Vulnerabilities Identified by ERPScan Research Team

This quarter, 17 critical vulnerabilities discovered by ERPScan researchers were closed.

The details of the identified issues are provided below:

  • Remote command execution in Oracle MapViewer using JerseyFileUpload (CVSS base score 9.8, CVE-2018-2943). Directory traversal vulnerability enables an attacker to upload some jsp file in the apps folder and execute commands (escalate privileges).
  • Missing Authorization check-in JD Edwards EnterpriseOne for SupportAssistant component (CVSS base score 7.5, CVE-2018-2944). SupportAssistant component in JD Edwards EnterpriseOne does not perform necessary authorization checks for critical function, leading to the escalation of privileges. An attacker can send GET request [http://host:port/jde/servlet/com.jdedwards.supportassistant.SupportAssistant]] and receive all possible methods. Afterward, the attacker can use these methods via POST request in “xml” parameter, to get, for example, any file on the file system.
  • Anon XXE in Oracle Weblogic portalTools (CVSS base score of 5.3, CVE-2018-3101). XXE vulnerabilities allow reading files from the server or launch a DoS attack.
  • JSP file uploading {privileges escalation} in Oracle Middleware 12.2.1.3.0 (CVSS base score 9.8, CVE-2018-2894). Using JSP file uploading an attacker can upload some JSP file in the apps folder and execute certain commands (escalate privileges).
  • Cross-Site Scripting (XSS) vulnerability in JDE URLBuilderService (CVSS base score of 6.1, CVE-2018-2945). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Multiple Cross-Site Scripting (XSS) vulnerabilities in JDE GraphPrototype maflet (CVSS base score 6.1, CVE-2018-2946). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Directory traversal in JDE FileDownloader maflet (CVSS base score 6.5, CVE-2018-2947). This security vulnerability allows attackers to traverse the file system to access files that are outside of the restricted directory.
  • Cross-Site Scripting (XSS) vulnerability in JDE MMDGView maflet (CVSS base score 6.1, CVE-2018-2948). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE TEDocWindow maflet (CVSS base score 6.1, CVE-2018-2949). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE TETaskProperties maflet (CVSS base score 6.1, CVE-2018-2950). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Anon SQL injection in Oracle Business Process Management (CVSS base score of 9.1, CVE-2018-3100). With the help of SQL injection vulnerabilities, an attacker extracts information from the local database using insecure SQL requests.
  • File Upload/Download Vulnerability in Integration Gateway – SimpleFileTargetConnector (CVSS base score 7.4, CVE-2018-2990). Default password in integrationGateway.properties ig.fileconnector.password=EncryptedPassword allows an attacker to upload and download arbitrary files from PeopleSoft web server and gain full control of the PeopleSoft web server.
  • Directory traversal using zip in Oracle SOA Suite for Healthcare Integration (CVSS base score 4.3, CVE-2018-3105). With the help of Directory traversal vulnerabilities, an attacker uploads JSP file and gets a webshell.
  • Cross-Site Scripting (XSS) vulnerability in JDE ShortcutLauncher maflet (CVSS base score 6.1, CVE-2018-2999). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • Cross-Site Scripting (XSS) vulnerability in JDE dtadebugger maflet (CVSS base score 6.1, CVE-2018-3006). Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
  • CVE-2017-10269 vulnerability affecting the Jolt Protocol was not properly patched and still exists (CVSS base score 8.6, CVE-2018-3007). This vulnerability allows remote attackers to expose internal memory of JSH processes. It leads to exposing critical information such as password, tokens, etc.
  • PeopleSoft server-side template injection via arbitrary HTML file creation in ‘PSIGW/PeopleSoftListeningConnector/’ (CVSS base score 5.4, CVE-2018-3016). Attackers can create arbitrary HTML files with controlled content in server-side via post request to PSIGW/PeopleSoftListeningConnector/.

Nonetheless, Oracle decided not to mention ERPScan’s contribution and did not give a credit since ERPScan were put on a Treasury sanctions list.

The Most Critical Oracle Vulnerabilities Closed by CPU for July 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows

  • Oracle Spatial (jackson-databind) has CVE-2017-15095 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Spatial (jackson-databind) component of Oracle Database Server. Supported versions that are affected are 12.2.0.1 and 18.1. An easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Spatial (jackson-databind). Successful attacks of this vulnerability can result in a takeover of Oracle Spatial (jackson-databind).
  • Oracle Global Lifecycle Management OPatchAuto component CVE-2018-7489 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Global Lifecycle Management OPatchAuto component of Oracle Global Lifecycle Management (subcomponent: DB specific extensions (jackson-databind)). The supported version that is affected is All. An easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Oracle Global Lifecycle Management OPatchAuto. Successful attacks of this vulnerability can result in a takeover of Oracle Global Lifecycle Management OPatchAuto.
  • Oracle Fusion Middleware MapViewer has CVE-2018-2943 (CVSS Base Score: 9.8) – Vulnerability in the Oracle Fusion Middleware MapViewer component of Oracle Fusion Middleware (subcomponent: Map Builder). Supported versions that are affected are 12.2.1.2.0 and 12.2.1.3.0. An easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Fusion Middleware MapViewer. Successful attacks of this vulnerability can result in a takeover of Oracle Fusion Middleware MapViewer.
  • Oracle WebLogic Server has CVE-2018-2894 (CVSS Base Score: 9.8) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). Supported versions that are affected are 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3. An easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of Oracle WebLogic Server.
  • PeopleSoft Enterprise FIN Install has CVE-2017-5645 (CVSS Base Score: 9.8) – Vulnerability in the PeopleSoft Enterprise FIN Install component of Oracle PeopleSoft Products (subcomponent: Security (Apache Log4j)). The supported version that is affected is 9.2. An easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Install. Successful attacks of this vulnerability can result in a takeover of PeopleSoft Enterprise FIN Install.

Securing Oracle Applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists.

Rapidly detect security vulnerabilities in your web, mobile and desktop applications with IBM Application Security on Cloud. Register Now

Topics:
security ,oracle ,vulnerabilities ,oracle applications ,erpscan

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}