Oracle Corp released its quarterly Critical Patch Update (CPU) on Tuesday, issuing fixes for 252 vulnerabilities, including extremely severe bugs found in the company's Hospitality Applications, Siebel CRM solution, and PeopleSoft HR software.
In order of most vulnerabilities to fewest, the tech giant's latest update patches flaws in Oracle's Fusion Middleware, Hospitality Applications, E-Business Suite, MySQL, PeopleSoft, Communications Applications, Java SE, Sun Systems Products Suite, Retail Applications, Siebel CRM, Supply Chain Product Suite, Virtualisation, Database Server, Hyperion, JD Edwards Products, Financial Services Applications, Health Sciences Applications, Construction and Engineering Suite, and Enterprise Manager Grid Control.
A summary of the security update, published on Wednesday by ERPScan, describes six of the most severe vulnerabilities, two of which were assigned a maximum base score of 10.0 using the Common Vulnerability Scoring System (CVSS). Both of these flaws can be remotely exploited by unauthenticated attackers who have HTTP-based network access, in order to compromise the Hospitality Reporting and Analytics component of Oracle's Hospitality Applications. The first, CVE-2017-10402, can result in a takeover of the solution, while the second, CVE-2017-10405, allows malicious actors to access critical data or trigger a denial-of-service condition, ERPScan reports.
Three more hospitality application vulnerabilities were given CVSS scores of either 9.9 or 9.8.
The vulnerability CVE-2013-1903, found in Oracle's Siebel customer relationship management solution, also earned a CVSS score of 10.0. Unauthorised attackers with network access via HTTP can remotely exploit this to take over the Siebel Apps – Field Service component of the CRM solution, ERPScan explains.
ERPScan also noted an “alarming” number of repairs to Oracle's PeopleSoft human resources software, which companies use to manage highly sensitive employee data, including social security numbers and bank account numbers. “Over 1,000 PeopleSoft systems are available on the internet simply by Google- or Shodan-scanning, therefore putting organisations at risk because of the recent vulnerabilities," commented Alexander Polyakov, ERPScan CTO.
There were 23 PeopleSoft fixes in total, compared to 44 PeopleSoft all of last year. Thirteen of them can be exploited over the network without user credentials. The most critical one, which was identified by ERPScan researchers, enables attackers to remotely execute commands on the PeopleSoft server using a malicious Java serialized package.
Meanwhile, there were 26 fixes for Oracle's E-Business Suite. According to a report from Onapsis, Oracle this year has already patched 180 EBS vulnerabilities, well over the 129 addressed in all of 2016 – a near-40 percent increase so far. Two of the vulnerabilities, CVE-2017-10329 and CVE-2017-10330, are critical-risk, unauthenticated SQL injection flaws that can be remotely exploited without authentication in order to access and modify critical documents and business data. Each earned a CVSS base score of 9.1.
“These vulnerabilities are especially risky, as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,” said JP Perez-Etchegoyen, CTO at Onapsis. “Critical business information could be stored in the system, including invoices, purchase orders, HR information, and design documents.”
“While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organisations need to patch immediately to mitigate this risk in their organization,” Perez-Etchegoyen continued.
Oracle has now resolved 1,119 security issues in 2017 – 22 percent more flaws than in all of 2016, ERPScan reports.
For the year now, Oracle has issued 1,119 patches, ERPScan reports.