Oracle October CPU: Onapsis Contributes to EBS Security by Reporting Almost 60% of the Vulnerabilities, Including Those Most Critical

One of the most important components of securing business-critical applications is to ensure the systems are always up to date with the latest security patches to reduce the risk level. Today Oracle released the last Critical Patch Update (CPU) of the year. In this CPU, Oracle stopped an increasing trend seen in the last three CPUs, where Oracle continually fixed more vulnerabilities during each new CPU. In the latest CPU, Oracle fixed 252 security vulnerabilities.

Looking at one of the most important Oracle ERP (Enterprise Resource Planning) systems, Oracle E-Business Suite (EBS), in 2016 Oracle fixed 129 vulnerabilities in total. In 2017 Oracle fixed 180 vulnerabilities year-to-date, an increase in the vulnerabilities of 40% with a net increase of 51 more vulnerabilities in relation to the previous year.

The following graph shows the relationship between the total vulnerabilities in each CPU and Oracle EBS vulnerabilities, where blue bars represent vulnerabilities affecting Oracle EBS and orange bars represent vulnerabilities affecting all other Oracle products.

In this Critical Patch Update Oracle fixed 252 vulnerabilities, 182 directly affecting business-critical applications. 182 vulnerabilities represent 72% of the total CPU vulnerabilities. The following graph shows the vulnerability count and percentage for each business-critical application.

Onapsis helps to secure Oracle E-Business Suite 
At Onapsis we continuously aim to secure business-critical applications, which puts Oracle's most relevant ERP, Oracle E-Business Suite, in the limelight for the research team. During this latest CPU, Oracle released 26 vulnerabilities in total, 15 of which were reported by Onapsis Research Labs. These summarize 57.7% of the total number of vulnerabilities published this CPU for Oracle E-Business Suite. The next graph represents the Onapsis contribution to securing Oracle E-Business Suite in the last two years.

The following vulnerabilities reported by Onapsis Research Labs were fixed by Oracle in its latest CPU, October 2017:

Three (3) SQL Injections Vulnerabilities found by Onapsis, the first with high risk,  second and third with critical risk:

  • CVE-2017-10332: Unauthenticated SQL Injection in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - Base Score 7.5
  • CVE-2017-10329: Unauthenticated SQL Injection in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N - Base Score 9.1
  • CVE-2017-10330: Unauthenticated SQL Injection in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N - Base Score 9.1

Thirteen (13) other vulnerabilities found by Onapsis:

  • CVE-2017-10336: Information Disclosure and Cross Site Scripting (XSS) in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Base Score 5.3
  • CVE-2017-10281: Denial Of Service in Java
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - Base Score 5.3
  • CVE-2017-10347: Denial Of Service in Java
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L - Base Score 5.3
  • CVE-2017-10324: Information Disclosure in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - Base Score 5.3
  • CVE-2017-10066: Incorrect log handling in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Base Score 5.3
  • CVE-2017-10325: Persistent Cross Site Scripting (XSS) in Oracle E-Business Suite JSP page
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - Base Score 8.2
  • CVE-2017-10328: Information Disclosure in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N - Base Score 7.5
  • CVE-2017-10331: Information Disclosure in Oracle E-Business Suite
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N - Base Score 5.3
  • CVE-2017-10322: Missing authorization in Oracle E-Business Suite JSP page
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N - Base Score 5.3
  • CVE-2017-10326: Persistent Cross Site Scripting (XSS) in Oracle E-Business Suite JSP page
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - Base Score 8.2
  • CVE-2017-3444: Cross Site Scripting (XSS) in Oracle E-Business Suite JSP page
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - Base Score 8.2
  • CVE-2017-10323: Cross Site Scripting (XSS) in Oracle E-Business Suite Servlet
    • CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N - Base Score 8.2

2017 Oracle OpenWorld 
A remarkable milestone occurred earlier this month at the 2017 Oracle OpenWorld conference. During the first keynote speech, Oracle Executive Chairman and CTO, Larry Ellison started the event with a strong focus around cybersecurity in his opening remarks and stated that companies need to make cybersecurity a top priority. A few important quotes from Larry Ellison’s speech, which can be found here

  • “Preventing data theft is all about securing your data and wherever you choose to store your data.”
  • “The key thing you have to do in cybersecurity is know when you are being attacked and you need to know early when you are being attacked, you have to know during the reconnaissance phase of a cyber attack, when someone’s kind of nosing around in your computers systems trying to steal a password, trying to assume someone else’s identity.”

These two excerpts emphasize how important it is for all companies to be prepared and have a cybersecurity strategy in place in order to prevent attacks. This introduction to cybersecurity was a great starting point at Oracle OpenWorld for the two Onapsis sessions:

  •  “To Patch or Not to Patch: Answering the CPU Question” co-presented by our CTO Juan Pablo Perez Etchegoyen with Bruce Lowenthal, Senior Director, Security Alerts Group, Oracle. 
  • “Trends in Oracle E-Business Suite Cybersecurity: From Database to Application” presented by one of our Oracle Security Specialists, Matias Mevied. 

Action Items
It is highly recommended to implement all the patches released by Oracle for the products that your company is using and running. The patches are available here to download and implement.

Follow Onapsis on Twitter and LinkedIn to stay up to date on the latest information to help you secure your business-critical applications. 

Leave a comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.