Today is the first Oracle Critical Patch Update (CPU) of the year and a lot of challenges are coming for us and for you: improving your ERP applications security is a must for nowadays cyberattacks landscape. The Onapsis Research Labs has been focused even more on researching Oracle E-Business Suite, where we have reported 78.9% of total vulnerabilities in the last two years (a total of 159 vulnerabilities out of 229 was originally reported by our team). This first CPU of the year contains 284 new security vulnerability fixes for several Oracle products, including the new EBS version 12.2.8 launched in October 2018.
Some business-critical applications affected by vulnerabilities that were fixed in this Critical Patch Update include Oracle Applications Manager, Oracle Content Manager, Oracle CRM Technical Foundation, Oracle Marketing and Oracle Mobile Field Service, among others.
Oracle E-Business Suite is one of the most important Enterprise Resource Planning (ERP) that Oracle has in their products. In this CPU Oracle recommends the customer applies the security patches for technology stack components in Oracle E-Business Suite, including database and Oracle Fusion Middleware. There are 86 vulnerabilities in total affecting this platform:
- 3 for Database (None of these vulnerabilities may be remotely exploitable without authentication)
- 62 for Oracle Fusion Middleware (57 of these vulnerabilities may be remotely exploitable without authentication)
- 5 for Java (All of these vulnerabilities may be remotely exploitable without authentication)
- 16 for Oracle E-Business Suite technology stack components (9 of these vulnerabilities may be remotely exploitable without authentication)
As mentioned, this is the first CPU after Oracle released E-Business Suite 12.2.8 and it already has fixed bugs for this version. This is a good reminder about how relevant it is to keep your systems up to date, even the ones that have newer versions.
For Oracle E-Business Suite the highest CVSS is 9.1 in the products Oracle Performance Management (only version 12.1.3) and Oracle One-to-One Fulfillment. This last bug affects subcomponent OCM Query (including last version 12.2.8) and it is "easily exploitable" through an unauthenticated attacker with network access via HTTP to Oracle One-to-One Fulfillment. As Oracle published, “successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle One-to-One Fulfillment accessible data as well as unauthorized access to critical data or complete access to all Oracle One-to-One Fulfillment accessible data.”
Consider that all the 16 vulnerabilities in this CPU affecting Oracle E-Business Suite directly, also affect the new version 12.2.8. This mean that it is not enough to have the latest version available, you always need to install the CPU in your stack too.
In this new version 12.2.8, Oracle didn’t include new checks regarding security for its Secure Configuration Console. To implement the Critical Patch Update for Oracle E-Business Suite the AppDBA can use the following document that we have created, to review the step-by-step guide to implement the patches: How to implement Oracle CPU.
Oracle uses CVSS version 3 to measure the impact of each vulnerability, where 10 is the most critical vulnerability impact. In this CPU the highest CVSS 3.0 Base Score for vulnerabilities in this Critical Patch Update is 9.8 for Enterprise Manager Base Platform of Oracle Enterprise Manager Products Suite, which means that an attacker can use the vulnerability remotely to have full compromise of the CIA triad: Confidentiality, Integrity and Availability.
Michael Miller, Senior Security Architect at Onapsis, recently explained in an interview with Oracle Magazine what we mentioned at the beginning of this blog post:
"No one team, tool, technique, or vendor is going to secure you. Security is only created by you, your teams, and your people following processes—and often using tools. What we do here at Onapsis is think about those processes and consider how we can make people work smarter, add value, and create solutions."
As part of our work to help users, we will be presenting at the Collaborate Conference next April, with several talks about Oracle security, presented by Onapsis experts Cristian Peque and Michael Miller, including:
- Steps to stay secure with Security Configuration Console in Oracle E-Business Suite
- Oracle E-Business Suite: Key Audit & Compliance Advantages to Running in the Cloud
- How to implement Oracle Critical Patch Updates for EBS
- Hacking and Protecting Oracle E-Business Suite