July '20 Oracle CPU: Oracle Fixes Several Critical Vulnerabilities
This week, Oracle released its third Critical Patch Update (CPU) of the year and for the second quarter in a row, as stated in April’s report, a new historical mark took place. This time, there was a new record in the number of patches, releasing 433 new security patches.
The July CPU release also includes a total of 30 patches for Oracle E-Business Suite (EBS), one of the most used ERP software suites in the World. In addition, there are four critical vulnerabilities with a CVSS Base Score of 9.1 affecting Oracle E-Business Suite in three different products. These vulnerabilities identified with CVE-2020-14598 and CVE-2020-14599 for Oracle “CRM Gateway for Mobile Devices” only affect version 12.1, whileCVE-2020-14658 for “Oracle Marketing”, and CVE-2020-14665 in “Oracle Trade Management affect versions 12.1.1 through 12.2.9.
It’s important to mention that these vulnerabilities are easily exploitable, allowing an unauthenticated attacker with network access via HTTP to compromise these products. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification of critical data. Therefore, it is essential to apply this fix as soon as possible.
This CPU also includes several critical vulnerabilities targeting Oracle WebLogic. In fact, it contains vulnerabilities with a CVSS Base Score of 9.8, which are easily exploitable and allows unauthenticated attackers with network access via IIOP, T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of the system.
CPU and Oracle EBS in Numbers
In this CPU, Oracle recommends customers to apply the security patches for technology stack components in Oracle EBS, including database and Oracle Fusion Middleware. There are 112 vulnerabilities in total affecting this platform:
- 19 for Database (1 of these vulnerabilities may be remotely exploitable without authentication)
- 52 for Oracle Fusion Middleware (48 of these vulnerabilities may be remotely exploitable without authentication)
- 11 for Java (all of these vulnerabilities may be remotely exploitable without authentication)
- 30 for Oracle EBS technology stack components (24 of these vulnerabilities may be remotely exploitable without authentication)
All 112 vulnerabilities in this CPU affect Oracle EBS directly. This means that it is not enough to have the latest version available. You always need to install the CPU in your stack as well. Do not forget about the Weblogic CPU. It is just as important as the Database and Oracle EBS CPU. A successful attack of some of these vulnerabilities in WebLogic can give access to the WebLogic server, and this server is the same as EBS.
Finally, a reminder that the next CPU will be released on October 20 2020, so you have time to implement and test this CPU before that date. Onapsis recommends you prioritize patching the most critical vulnerabilities first. To implement this CPU for Oracle EBS, you can use this step-by-step guide to implementing Oracle Critical Patch Updates.
Additionally, Onapsis offers a complimentary assessment called a Business Risk Illustration (BRI), where Onapsis will assess your Oracle EBS systems to show where you are vulnerable and at risk against more than 200 checks. It demonstrates the value The Onapsis Platform provides by automating continuous monitoring of Oracle EBS to deliver actionable intelligence, enabling you to prioritize vulnerability remediation. Learn more about our BRI offerings, or request one here.
Be sure to check out our blog regularly as we continue to provide you with more information and best practices for Oracle EBS security.