Research

Yesterday, Oracle released its quarterly security patches and what a record breaking CPU it was! With close to 300 published patches, this marks the highest number of patches released to date for any CPU. This further validates the trend we have seen in previous CPU’s which is  to correct more vulnerabilities in Oracle products due to increased research submissions targeting different Oracle products.

While only in release candidate form, the current proposed changes to the OWASP Top 10 Application Security Risks provide clear guidance for any enterprise that needs to secure and protect their critical enterprise business applications. In general, the OWASP Top 10 and these two additions can be directly applied to an approach and methodology for securing ERP based business applications and systems.

In this month's post we will analyze the January 2017 Oracle Critical Patch Update (CPU) and how it relates to Oracle Business Critical Applications. This CPU is special because the number of vulnerabilities fixed sets a new record for the amount of vulnerabilities fixed in a single CPU for Business Critical Applications. At Onapsis, we believe there are two main factors that contribute to this record breaking number of vulnerabilities in a single CPU. These two factors are the Researchers and of course, Oracle itself.

SAP HANA evolved a lot in 2016, as did security focused on this critical platform. The year ended with the release of the “new generation” version, SAP HANA 2. Starting in early December, customers have been able to upgrade to this new version that SAP explains as big enough not to call it SAP HANA SP13. This new release is another testament to the success of SAP HANA adoption and will continue to increase the amount of customers that are moving to the world of the SAP in-memory database.

So, 2017 begins... and the first Patch Day has arrived. Today, SAP published its first Security Notes post of the year, making a total of 24 notes (21 published today) since the last Security Notes Tuesday in December. The amount of security corrections for each month starts consistent with last year (keeping the average of 25 SAP Security Notes per month). Today SAP published, for the second month in a row, SAP Security Notes for SAP ERP Defense Forces and Public Security.

Yesterday, Oracle released its quarterly Critical Patch Update (CPU) to provide customers with detailed information about the latest vulnerabilities affecting Oracle business critical applications. This post will help Oracle customers better understand and prioritize the implementation of patches and testing of vulnerabilities on these systems within their organization. In this CPU, Oracle published 253 patches which affect 76 different Oracle products. We will analyze the Critical Patch Update and then will focus on the Oracle E-Business Suite vulnerabilities.

In today’s evolving IT landscape, companies are constantly planning their next steps when it comes to business-critical application security. Specifically, they are planning these steps around their SAP environment which supports core business processes for some of the world’s largest organizations. When it comes to migrating SAP solutions to the cloud, different roadmaps are regularly being assembled and developed in order to properly transfer solutions that were traditionally supported by on premise SAP systems to a diverse range of cloud offerings provided by SAP.

Today, the Onapsis Research Labs released 14 advisories for SAP and 6 for Oracle E-Business Suite. All of the SAP advisories pertain to SAP NetWeaver - the technical integration platform on top of which enterprise and business solutions are developed and run. Half of these advisories for SAP NetWeaver relate to remote command execution vulnerabilities, which will be explained later in this post. On the Oracle side, all six advisories relate to cross-site scripting (XSS) attacks on the core business application Oracle E-Business Suite.

Introduction

A few months ago, we published a post about Clickjacking attacks, analyzing the nature of the attack, its related security notes and statistics on the attacks themselves. Even though this type of attack is not new, it’s an important aspect for the SAP world to understand, especially considering its relevancy after July’s security notes release.