Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

Analyzing Oracle Security: Oracle Critical Path Update, April 2017

DZone's Guide to

Analyzing Oracle Security: Oracle Critical Path Update, April 2017

Oracle recently released it's quarterly patch update. See Oracle included on the list, and how it could effect your security.

· Security Zone
Free Resource

Discover an in-depth knowledge about the different kinds of iOS hacking tools and techniques with the free iOS Hacking Guide from Security Innovation.

Recently Oracle released its quarterly patch update for April 2017. It fixes a record number of 299 vulnerabilities.

The main highlights are as follows:

  • The average number of security issues released every quarter keeps growing and this quarter has almost reached 300.
  • 37% of patches address vulnerabilities in Oracle’s industry solutions such as Retail and Financial services applications installed in the largest companies worldwide.
  • The patch update contains 40 vulnerabilities assessed as critical (CVSS base score 9.0-10.0), including 25 rated 10.0.
  • One of the most severe vulnerabilities in Oracle E-Business Suite (the main business applications from the vendor) allows an attacker to read all key business data from the database remotely without authorization.

This quarter’s CPU contains more security patches than the previous CPU for January 2017 (270).

The graph above shows that the vendor released yet another record-breaking batch of patches. So, less than a year has passed since the previous notorious record of 276 fixes (Oracle CPU – July 2017). It's safe to say that there is a constant trend of growing volume of Oracle CPU – the average number of security patches has tripled in the last 5 years (from 91 to 284).

Oracle Critical Patch Update Analysis

Below you can find an analysis of the vulnerabilities closed by this Critical Patch Update.

Oracle Vulnerabilities by Application Type

The patch updates touch a wide range of products. The affected product families are as follows (listed by the number of closed issues in descending order):

Product Family Number of Patches
Financial Services Applications 47
MySQL 39
Retail Applications 39
Fusion Middleware 31
Sun Systems Products Suite 21
PeopleSoft 16
Virtualization 15
Berkeley DB 14
Support Tools 13
E-Business Suite 11
Communications Applications 11
Java SE 8
Utilities Applications 7
Primavera Products Suite 7
Hospitality Applications 6
Commerce 3
Database Server 2
Enterprise Manager Grid Control 2
Secure Backup 1
Hyperion 1
Supply Chain Products Suite 1
JD Edwards Products 1
Siebel CRM 1
Health Sciences Applications 1
Insurance Applications 1

As you can see from the table, Oracle Financial Services Applications leads by the number of security patches, followed by MySQL and Retail Applications.

Vulnerabilities in Oracle Industry-Specific Applications

Oracle provides a set of vertical applications which are intended to efficiently solve difficulties each industry may face. These solutions are used by large enterprises to store data and manage a wide range of business processes. Nonetheless, these applications contain numerous vulnerabilities. If exploited, the security issues may lead to theft of sensitive data or manipulation of business-critical information.

Oracle’s critical patch update for April 2017 is characterized by the record-setting number of fixes addressing vertical applications. Security issues in Financial Services, Retail, Communications, Utilities, Hospitality, Health Sciences, and Insurance applications total 122 and account for 37% of all patches. Moreover, 61% (75) of them are remotely exploitable.

“Cybercrime has always been a lucrative business. Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that this option is more profitable. Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target. The good news is that the vendor drew its attention to this critical area before a serious data breach happens. The bad news is that Oracle admins will long work on installing numerous patches.” – Alexander Polyakov, CTO at ERPScan.

Vulnerabilities in Oracle Business-Critical Applications

This quarter’s CPU contains 83 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, Oracle PeopleSoft, E-Business Suite, JD Edwards, Siebel CRM, Oracle Financial Services, and Oracle Primavera Products Suite. About 60% of them can be exploited remotely without entering any credentials.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 11 fixes for Oracle EBS. The highest CVSS score is 9.1.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.

This Critical patch update contains 16 fixes for Oracle PeopleSoft with the highest CVSS score of 7.5.

Oracle Vulnerabilities Identified by ERPScan Research Team

This quarter, 7 critical vulnerabilities discovered by ERPScan researchers were closed by 5 researchers at ERPScan. Moreover, three of them were also acknowledged for contributing to Oracle’s Security-In-Depth program, which means that the information they reported resulted in significant modification of code or documentation in future releases.

The details of the identified issues are provided below:

  • SQL Injection in Oracle E-Business Suite (CVSS base score 9.1, CVE-2017-3549). The code comprises an SQL statement containing strings that can be altered by an attacker. The manipulated SQL statement can be used then to retrieve additional data from the database or to modify the data without authorization.
  • DoS in Oracle E-Business Suite (CVSS base score 7.5, CVE-2017-3555). An anonymous attacker can send many special requests and cause a denial of service of the whole subsystem.
  • CRLF in Oracle PeopleSoft (CVSS base score 7.4, CVE-2017-3547). An attacker can perform a variety of attacks that include cross-site scripting, cross-user defacement, the positioning of client’s web-cache, hijacking of web pages, defacement, etc.
  • XSS in Oracle E-Business Suite (CVSS base score 7.1, CVE-2017-3557). An attacker can use a special HTTP request to hijack session data of administrators or users of the web application.
  • XXE in Oracle PeopleSoft (CVSS base score 6.5, CVE-2017-3548). A malicious user can modify an XML-based request to include XML content that is then parsed locally.
  • SSRF in Oracle PeopleSoft (CVSS base score 6.5, CVE-2017-3546). An attacker can force a vulnerable server to trigger malicious requests to third-party servers and or to internal resources. This vulnerability can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks.
  • SSRF in Oracle E-Business Suite (CVSS base score 5.3, CVE-2017-3556). An attacker can bypass authorization checks and download files stored in E-Business Suite.

The Most Critical Oracle Vulnerabilities Closed by CPU April 2017

Oracle prepares Risk Matrices and associated documentation describing the conditions required to exploit a vulnerability and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers fix the most critical issues first.

The most critical issues closed by the CPU are as follows:

  • Kernel RPC has CVE-2017-3623 (CVSS Base Score: 10.0) – CVE-2017-3623 Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Kernel RPC). Easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in a takeover of Solaris.
  • Monitoring: General (Struts 2) has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: General (Struts 2)). Supported versions that are affected are 3.1.6.8003 and earlier, 3.2.1182 and earlier, 3.3.2.1162 and earlier. This is an easily exploitable vulnerability that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. While the vulnerability is in MySQL Enterprise Monitor, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in a takeover of MySQL Enterprise Monitor.
  • Oracle FLEXCUBE Private Banking has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 12.0.1, 12.0.2, 12.0.3 and 12.1.0. Easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle FLEXCUBE Private Banking. While the vulnerability is in Oracle FLEXCUBE Private Banking, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in a takeover of Oracle FLEXCUBE Private Banking.
  • Oracle Financial Services Asset Liability Management has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Financial Services Asset Liability Management component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3 and 8.0.4. An easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Asset Liability Management. While the vulnerability is in Oracle Financial Services Asset Liability Management, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in a takeover of Oracle Financial Services Asset Liability Management.
  • Oracle Financial Services Data Integration Hub has CVE-2017-5638 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Financial Services Data Integration Hub component of Oracle Financial Services Applications (subcomponent: Core (Struts 2)). Supported versions that are affected are 8.0.1, 8.0.2,8.0.3 and 8.0.4. An easily exploitable vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle Financial Services Data Integration Hub. While the vulnerability is in Oracle Financial Services Data Integration Hub, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in a takeover of Oracle Financial Services Data Integration Hub.

Multiple vulnerabilities in Struts 2.

An RCE vulnerability (CVE-2017-5638 CVSS Base Score: 10.0) affects 25 components of Oracle. Details of RCE with an example you can find on the Internet (Metasploit-Framework)

Securing Oracle Applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists.

Leveraging Humans to Get the Most Out of Tools

Topics:
security ,oracle ,vulnerabilities ,patch

Published at DZone with permission of alexander polyakov, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

THE DZONE NEWSLETTER

Dev Resources & Solutions Straight to Your Inbox

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

X

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}