This week, Oracle released its Critical Patch Update for October 2016. It closes multiple vulnerabilities, so Oracle administrators will face the task of testing, verifying, and deploying dozens of patches.
Bigger Doesn't Always Mean Better
This CPU closes a total of 253 patches across 76 product families. The October 2016 set of patches is the second largest for the year, after the July CPU set a record at 276 patches. Oracle started this year by releasing the monster CPU of 248 patches, which made headlines as a record-breaking number of fixes. Looking at the graph above, we can assume that the exceeding the two-hundred mark in terms of number of closed issues is not fortuitousness, but a trend.
This year is really record breaking in terms of released patches, almost every CPU of 2016 contains more than 200 fixes, almost twice the average number of fixes (110) released by Oracle from 2011 to 2015.
With the last of 2016, the vendor has fixed almost 1,000 security issues, 913 in total, this year only.
Business application security
Not only the CPU size, but also the criticality of closed issues are alarming. Several vulnerabilities are assessed critical, almost half of all the issues could be remotely exploited without authentication.
97 vulnerabilities affect a scope of the most crucial business applications from Oracle, namely, Oracle E-Business Suite, Oracle Fusion Middleware, Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, Oracle Supply Chain Products, Oracle Database Server. About 64% of these vulnerabilities can be exploited remotely without authentication.
Focus on E-Business Suite
Usually, when it comes to Oracle CPUs, everybody pays their attention to database and Java vulnerability. However, business applications such as Oracle E-Business Suite (EBS) are the crown treasure for hackers.
Oracle E-Business Suite is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
This critical patch update contains 21 fixes for Oracle EBS. The highest CVSS score is 8.2.
Among the vulnerable components, there is Oracle HTTP server, the web server component of Oracle EBS. The vulnerability is assessed as critical (CVSS base score of 8.2). According to Oracle's advisory, the vulnerability is easily exploitable and allows an unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks of this vulnerability can result in complete DoS of Oracle HTTP Server and unauthorized read access to data.
ERPScan researchers conducted a Shodan scanning and revealed that approximately 15000Oracle HTTP servers are exposed to the Internet.
The takeaway is rather predictable - implement the appropriate patches as soon as they are released. No doubt, Oracle admins got used to time-consuming work of implementing and testing the patches. For more information please refer to the latest review covering Oracle EBS Security as well as other Oracle systems. And just an advise, please remember that Oracle updates are not limited to the Java and Database area.