April's Oracle CPU Fixes Critical Bugs Reported by Onapsis
Following up from last week’s OAUG Collaborate Conference in San Antonio, Oracle has released its second quarter Critical Patch Update (CPU) and it’s a big one. For those of you who engaged with us at Collaborate where we continued to stress the importance of keeping up with patches, it’s now time to put our advice into practice. And for those who did not make it to Collaborate, we encourage you to download the presentation we delivered, “How to Implement Oracle Critical Patch Updates for EBS.”
Released on Tuesday, April 16th, the latest CPU includes three CVEs reported by the Onapsis Research Labs with two having a HIGH CVSS of 8.1, impacting WebLogic (CVE-2019-2568) and Oracle General Ledger (CVE-2019-2638), and the other having a CVSS of 5.1, affecting Oracle Work in Process (CVE-2019-2633).
Both critical vulnerabilities reported by Onapsis affect a key component active by default in every Oracle E-Business Suite (EBS) system, called Thin Client Framework (TCF). As part of this CPU advisory, two critical SQL injection vulnerabilities, which should have been previously patched, could lead an attacker to take full control of the database and the entire Oracle EBS stack.
An attack relies on the affected protocol to instantiate Java classes, which can be abused by injecting arbitrary SQL queries. Both vulnerabilities could be exploited remotely and, depending on the EBS version, could be exploited by an unauthenticated attacker (if the system lacks the April 2018 CPU). Both vulnerabilities are Arbitrary SQL Injection and one of them also includes an insecure object deserialization. By controlling the attributes of the object, a malicious user could inject SQL statements to execute custom queries in the database.
If successfully exploited, an attacker could do some of the following actions on the affected system:
- Execute arbitrary SQL queries
- Change user passwords, including sysadmin
- Obtain all users and, if not hashed, their password by decrypting them
- Gain the APPS database user password
- Get sensitive information from known database tables
- Execute operating system commands
In one of the worst-case scenarios, if the vulnerabilities are leveraged to set the SYSADMIN password, a malicious user can have full control of the EBS system. Making matters even worse, by creating custom procedures, OS commands can be executed with the EBS OS user, which would have high privileges and could affect the entire server of the company.
As the database is where all the critical business data is stored, executing arbitrary SQL code with high privileges (APPS database user) by an unauthenticated user (or in the case of the latest EBS versions, a user with low privileges) means compromising the most important information in a company. For this reason, these vulnerabilities can be considered extremely critical and should be patched as soon as the fix is available.
Additional April CPU Details
This CPU contains 297 new security vulnerability fixes for several Oracle products, with 35 affecting Oracle EBS. Some of the other business-critical applications affected by vulnerabilities that were fixed in this CPU include Oracle Applications Framework, Oracle CRM Technical Foundation, and Oracle General Ledger, among others.
EBS is Oracle’s most widely implemented Enterprise Resource Planning (ERP) solution. In this CPU, Oracle recommends that customers apply the security patches for all technology stack components in Oracle EBS, including database and Oracle Fusion Middleware. There are 99 vulnerabilities in total affecting this platform:
- 6 for Database (1 of these vulnerabilities may be remotely exploitable without authentication)
- 53 for Oracle Fusion Middleware (42 remotely exploitable without authentication)
- 5 for Java (All remotely exploitable without authentication)
- 35 for Oracle EBS (33 remotely exploitable without authentication)
For Oracle EBS, the highest CVSS v3.0 scored CVE is 8.2 in almost 11 products in the complete stack. One of the more critical patches (CVE-2019-2665) is present in 11 products, and its impact is described in the Oracle Report:
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Common Applications. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Common Applications, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Common Applications accessible data as well as unauthorized update, insert or delete access to some of Oracle Common Applications accessible data.”
You need to be aware that all 35 vulnerabilities in this CPU affect Oracle EBS directly, in all versions from 12.1 to 12.2.8. This means that it is not enough to have the latest version available, you must always install the CPU in your stack too.
A reminder that the next CPU will be released on July 16 2019, so you have time to implement and test this CPU before that date. To implement this CPU for Oracle EBS, you can use this step-by-step guide to implementing Oracle Critical Patch Updates.
Additionally, we offer a complementary assessment called a Business Risk Illustration (BRI), where we will assess your Oracle EBS systems to show you where you are vulnerable and at risk. It demonstrates the value Onapsis brings by automating continuous monitoring of Oracle EBS to deliver actionable intelligence, enabling you to prioritize vulnerability remediation. Talk to us today to schedule your BRI.
Stay tuned to our blog, as we continue to provide you with more information and best practices for Oracle EBS security.