This week, Oracle released its fourth and last Critical Patch Update (CPU) of the year and for the second time this year, the number of security patches exceeded 400. This time, Oracle released 402 new security patches, very close to the record of the July CPU release.
The October CPU release also includes a total of 27 patches for Oracle E-Business Suite (EBS), one of the most widely used ERP software suites in the world. In addition, there are four critical vulnerabilities with a CVSS Base Score equal to or higher than 9.1 affecting Oracle EBS in four different products. It is important to mention that vulnerabilities with a CVSS score equal to or higher than 9.0 with a maximum of 10 are considered critical. These vulnerabilities identified with CVE-2020-14876, CVE-2020-14875 and CVE-2020-14805 are rated with 9.1 and CVE-2020-14855 is rated with 9.8. CVE-2020-14855 affects only the 12.1.3 version however CVE-2020-14875, CVE-2020-14876 and CVE-2020-14805 affect version 12.1 through 12.2.10, the latest version of Oracle EBS was released some weeks ago.
Going deeper into these vulnerabilities, we can say they are easily exploitable, allowing an unauthenticated attacker with network access via HTTP to compromise the Oracle EBS system. Confidentiality, integrity and availability are affected at a high level. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification of critical data. Therefore, it is essential to apply these critical fixes as soon as possible.
This CPU also includes several critical vulnerabilities targeting Oracle WebLogic. In fact, it contains five vulnerabilities with a CVSS Base Score of 9.8, which are easily exploitable and allows unauthenticated attackers with network access via HTTP, IIOP and T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in a takeover of the system.
CPU and Oracle EBS in Numbers
In this CPU, Oracle recommends customers to apply the security patches for technology stack components in Oracle EBS, including the database and Oracle Fusion Middleware. There are 99 vulnerabilities in total affecting this platform:
- 18 for the database (3 of these vulnerabilities may be remotely exploitable without authentication)
- 46 for Oracle Fusion Middleware (36 of these vulnerabilities may be remotely exploitable without authentication)
- Eight for Java (All of these vulnerabilities may be remotely exploitable without authentication)
- 27 for Oracle EBS technology stack components (25 of these vulnerabilities may be remotely exploitable without authentication)
All 99 vulnerabilities in this CPU affect Oracle EBS directly. This means that it is not enough to have the latest version available. You always need to install the CPU in your stack as well. And, make sure you do not forget about the Weblogic CPU. It is just as important as the database and Oracle EBS CPU. A successful attack of some of these vulnerabilities in WebLogic can give access to the WebLogic server, and this server is the same as Oracle EBS.
Finally, a reminder that this is the last CPU of the year so the next CPU will be released on January 19, 2021. You have time to implement and test this CPU before that date. Onapsis recommends you prioritize patching the most critical vulnerabilities first. To implement this CPU for Oracle EBS, you can use this step-by-step guide to implementing Oracle Critical Patch Updates.
Additionally, Onapsis offers a complimentary Business Risk Illustration (BRI) to assess the cyber risk of your Oracle EBS systems against more than 200 checks to illustrate where your mission-critical applications are vulnerable and most at risk. It demonstrates the value The Onapsis Platform provides by automating continuous assessment of Oracle EBS to deliver actionable intelligence, enabling you to prioritize vulnerability and misconfiguration remediation. Talk to us today to schedule your cyber risk BRI.
Stay tuned to our blog, as we continue to provide you with more information and best practices for Oracle EBS security.