We always analyze CPUs released from Oracle on our research blog, but this time we have also created a document of what to do after Oracle launches a CPU for EBS. In addition, each of the steps taken to install patches is analyzed in detail with screenshots and sample results directly from work done in the Onapsis Research Labs. We fully believe that this is the best starting point for anyone wishing to improve their Oracle E-Business Suite application security and we invite you to download the complete document for step-by-step instructions for implementing the Oracle CPUs for EBS.
Today, Oracle released the July 2018 Critical Patch Update (CPU), setting a new vulnerability record. In this CPU, Oracle patched 334 vulnerabilities. The last record was 310 vulnerabilities patched in July 2017. As usual we will analyze all the vulnerabilities with direct impact to the Oracle business-critical applications. Oracle groups the vulnerabilities in 24 different application groups including the following:
Database Server, Global Lifecycle Management, Communications, Construction and Engineering Suite, E-Business Suite, Enterprise Manager, Financial Services, Fusion Middleware, Hospitality, Hyperion, iLearning, Insurance, Java SE, JD Edwards, MySQL, PeopleSoft, Policy Automation, Retail, Siebel, Sun Systems, Supply Chain, Support Tools, Utilities and Virtualization.
In the above list, the business-critical applications are marked in bold to identify them. 13 of the 24 are identified as a business-critical application. They represent 54% of the total applications.
Regarding the vulnerabilities, of the 334 vulnerabilities, 189 have direct impact with the critical groups bolded above. This shows that 57% of the vulnerabilities have a direct impact to business-critical applications. The following graph shows the vulnerability count and the percentage for each. Another relevant point is if the number of remote vulnerabilities from the 189 vulnerabilities have a direct impact to critical applications, 115 are remotely exploitable without authentication. This mean that an attacker could exploit the vulnerability without credentials and without physical access. The vulnerability could be exploited only with network access.
In relationship with the vulnerabilities Common Vulnerability Scoring System (CVSS) criticality from the business-critical applications there exists 28 vulnerabilities with the highest CVSS in this Critical Patch Update which is 9.8.
The applications with the highest 9.8 CVSS value are:
- Communications: 1 vulnerability
- Financial Services: 9 vulnerabilities
- Insurance: 2 vulnerabilities
- PeopleSoft: 2 vulnerabilities
- Retail: 13 vulnerabilities
- Supply Chain: 1 vulnerability
As always, we strongly recommend to implement the patches to mitigate the possibility of attacks. Specific to Oracle E-Business Suite, you can download our in-depth guide to help you implement the patches. Our recommendation is to implement always the latest Critical Patch Updates available. One important point in Oracle E-Business Suite is that if you implement the last Critical Patch Update you will have implemented all the previous patches.
Onapsis at Oracle Open World 2018
Oracle Open World is one of the most important conferences in our industry. This year we have the pleasure to present at Oracle Open World. If you are planning to attend Oracle Open World conference, don’t miss our session: Key Audit and Compliance Advantages of Running in the Cloud presented by Matias Mevied and Cristian Peque.