April 2018 Oracle Critical Patch Update: Oracle Patches 254 Vulnerabilities, 176 Specific to Financials
Onapsis helps secure 92% of E-Business Suite vulnerabilities
Oracle just released its April 2018 Critical Patch Update (CPU) containing 254 new vulnerabilities that they have released patches for. At Onapsis, it is our goal to help customers and vendors secure business-critical applications by analyzing them for security weaknesses and working with the teams to help secure them. From this most recent Critical Patch Update 176 of the 254 vulnerabilities affect business-critical applications, which represents 69% of the total vulnerabilities.
Oracle uses CVSS version 3 to measure the impact of each vulnerability with ten being the most critical. In this CPU the highest score is 9.8 - 35 patches have this score. This represents a critical risk for all the companies that run the products containing these vulnerabilities in landscapes.
The Oracle business-critical applications that have a 9.8 CVSS score are:
- Communications Applications
- Financial Services
- Fusion Middleware
- JD Edwards
- Retail Applications
- Utilities Applications
If not patched, this could lead to a full compromise of the CIA triad: confidentiality, integrity and availability.
The CVSS also measures the complexity of attack and network accesses. Of the total of 176 business-critical application vulnerabilities, 114 are remotely exploitable. A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).
The following graph shows the vulnerabilities number and percentage patched by Oracle for each business-critical application.
Vulnerabilities Reported by the Onapsis Research Labs
In this CPU Oracle fixed 12 vulnerabilities for Oracle E-Business Suite - 11 of which were reported by the Onapsis Research Labs. The vulnerabilities are nine information disclosures and two SQL injections.
The information disclosure vulnerabilities affect the confidentiality of Oracle E-Business Suite (EBS) systems and the SQL injection affects the confidentiality, availability and integrity of Oracle EBS systems. The following lists all the vulnerabilities fixed by Oracle and reported by the Onapsis Research Labs:
- CVE-2018-2864: Information Disclosure in OBJNAVSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2865: Information Disclosure in GLLOOKUPSVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2866: Information Disclosure in ACCOUNTTYPESLOVVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2867: Information Disclosure in FUNCTIONSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2868: Information Disclosure in ORGSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2869: Information Disclosure in POSSERVER which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2870: SQL Injection in ORGSERVER which affects directly the confidentiality, integrity and availability. CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
- CVE-2018-2871: SQL Injection in POSSERVER which affects directly the confidentiality, integrity and availability. CVSS 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
- CVE-2018-2872: Information Disclosure in DATAMANAGERSERVER. which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
- CVE-2018-2873: Information Disclosure in STRUCTURESVO which affects directly the confidentiality. CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
The 11 vulnerabilities were reported by our CTO, Juan Pablo Perez-Etchegoyen and we congratulate him for that!
SQL Injection Vulnerabilities
Injection vulnerabilities are the first vulnerability found in the OWASP (Open Web Application Security Project) Top 10 report. This report describes the most common vulnerabilities that companies are exposed to in Web Applications. These vulnerabilities tend to be of very high risk and should be patched immediately.
How does SQL injection work in Oracle E-Business Suite?
SQL injection is a vulnerability where an attacker can take advantage of the lack of parameter sanitization. An attacker can use these inputs and add some SQL statement to get or modify some database information or even in some cases generate a denial of service. The entry point that an attacker could use is a JSP, a Servlet or a specific class, among other possibilities.
The following code shows an example of an SQL injection vulnerability.
The first thing that a vulnerability needs is an input parameter:
String whereClause = request.getParameter("nWhereClause");
Then the variable “whereClause” can be assigned to other variables and can be used in different parts of the code.
The parameter received by the URL calls a specific class which uses the parameter to create the SQL statement as shown in the following example:
String str1 = "SELECT UNIQUE " + paramString1 + " id, " + paramString2 + " name, " + paramString3 + " details FROM " + paramString4;
This is how an attacker can see the SQL Injection in Oracle E-Business Suite system:
Oracle helps mitigate the possibility of attack by implementing sanitization, encoding or sometimes with prepared statements.
In this example, the way that Oracle mitigates the attack is by implementing a sanitization asking about the whereclause:
whereClause = j1.getWhereClause();
As always, organizations should immediately apply the released patches to ensure their systems are up to date and their data and processes are secure.
Onapsis at Collaborate and RSA conferences
This week Onapsis will present in RSA conference a session titled “I Forgot Your Password: Breaking Modern Password Recovery Systems” by Nahuel Sanchez and Martín Doyhenard. We will also showcase the Onapsis Security Platform at booth #4227 in the North Hall.
Another upcoming conference we will be attending in April is Collaborate 2018. We will have live demos of the Onapsis Security Platform functionality for Oracle EBS Financials at booth #1516. The team will present two sessions: