In this month's post we will analyze the January 2017 Oracle Critical Patch Update (CPU) and how it relates to Oracle Business Critical Applications. This CPU is special because the number of vulnerabilities fixed sets a new record for the amount of vulnerabilities fixed in a single CPU for Business Critical Applications. At Onapsis, we believe there are two main factors that contribute to this record breaking number of vulnerabilities in a single CPU. These two factors are the Researchers and of course, Oracle itself. With the growing amount of researchers reporting security weaknesses to Oracle, it is a great sign of the company’s flexibility and willingness to work with these teams to solve as many vulnerabilities as they do. In January 2017 Oracle published 270 fixes which affect 45 different Oracle products. The Onapsis Research Labs reported 102 vulnerabilities that were fixed in this CPU. This quantity of vulnerabilities represents 39% of the total vulnerabilities reported in this CPU. It’s important to highlight that all 102 vulnerabilities reported by Onapsis were disclosed on November 1st and were all fixed in the first CPU available from Oracle. This further demonstrates the flexibility of the Oracle team. The vulnerabilities found by Onapsis Research Lab are Cross Site Scripting vulnerabilities (XSS). Some of them can be exploited with a simple parameter and other vulnerabilities could be exploitable with different, more difficult parameters. For more details about how Cross Site Scripting works and mitigation techniques for it, you can visit the following link: https://www.onapsis.com/blog/oracle-fixes-record-276-vulnerabilities-july-2016-. The following graph summarizes the Oracle Business Critical Applications affected in this CPU where:
- The bars represent the CVSS Average from each Oracle product group.
- The number inside the bar represents the count of vulnerabilities for these product groups.
- The point represents the maximum CVSS for these product groups.
- The color for the bars and the points represents the CVSS risk where green is low, yellow is medium, orange is high and red is critical.
Vulnerabilities in Oracle E-Business Suite with a new record
There is another record in this CPU related to one of the most important Oracle Business Critical Applications, Oracle E-Business Suite. In this CPU, the total number of vulnerabilities grew to reach 110 vulnerabilities. Full details of these vulnerabilities can be found in our security Advisory documents. The following graph displays the following information:
- The bars in blue represent the number of vulnerabilities in Oracle E-Business Suite.
- The bars in orange represent the total number of vulnerabilities for each CPU from 2005 to 2017.
Stay tuned for our upcoming CPU’s of 2017 scheduled for:
- April 18, 2017
- July 18, 2017
- October 17, 2017
- January 16, 2018