Oracle Fixes 248 Software Vulnerabilities in January 2016

As a company, Onapsis is focused on securing business-critical applications such as SAP and Oracle. An important part of our research relies on identifying, and reporting on critical vulnerabilities in Oracle business applications in order to help Oracle customers reduce the risk to their organization.

This post analyzes the January 2016 Oracle Critical Patch Update (CPU) in order provide Oracle customers with detailed information about new vulnerabilities affecting business critical applications. In addition, this post will help customers better understand and prioritize testing of vulnerabilities on these systems within their organization.

In January 2016, Oracle published a new record of patches, fixing 248 which affect 51 different Oracle products. Compared with the last CPU, in October 2015, the total number increased 60%. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability, and uses the Common Vulnerability Scoring System V2 (CVSS) to measure the risk implied by the vulnerability such as exploitability, complexity and different aspects of impact.

In this month’s CPU more than 54% of the vulnerabilities directly affect Oracle Business-Critical Applications. It is important to note that more than half of the reported vulnerabilities (60.48%) can be remotely exploited without authentication. This means that the information and processes that could be at risk in companies is extremely relevant, and Oracle customers should take immediate actions to mitigate these risks.

The business critical applications affected are: Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain, Oracle PeopleSoft, Oracle JD Edwards, Oracle iLearning and Oracle Communications Applications. Other product groups could be indirectly impacted depending on the implementation details, the infrastructure and the components supporting the deployment of each Business Critical Application. For example, if Oracle E-Business Suite is running on top of an Oracle Database, the exposure of the EBS could be increased, as vulnerabilities related to the Database indirectly affect the business data.

Comparing this CPU with CPU’s from the last seven years, this CPU has the highest number of fixed vulnerabilities for the Oracle E-Business Suite product.

The top 3 affected product groups are: Oracle E-Business Suite, Oracle Enterprise Manager Grid Control and Oracle Fusion Middleware. It is important to take into account that Oracle E-Business Suite is among these three products and that it’s an Oracle Business Critical Application. In our last four Oracle CPU Blog posts, Oracle Fusion Middleware was placed among the top 3 affected product groups.

The following table shows the number of vulnerabilities published for each product group, according to the January 2016 Oracle CPU:

cpu_january_2016_table.jpg

While it is important to identify the CVSS of the vulnerabilities, the distribution of the CVSS risks in context to all vulnerabilities patched by Oracle on this CPU is also important.

The box plot graph illustrates the distribution of CVSS scores across the January 2016 Oracle Critical Patch Update. As represented in the graph, the CVSS range values go from 1.2 to 10.0 with a median of 5.

box_plot_january_2016.jpg

There are five vulnerabilities with a CVSS score of 10, which due to the number of vulnerabilities being patched, do not affect the median, but definitely need special consideration as they comprise a variety of critical vulnerabilities. Two of these affect Oracle GoldenGate product group (CVE-2016-0451 and CVE-2016-0452). There are three other vulnerabilities with CVSSS 10 which affect Oracle Java SE product (CVE-2016-0494, CVE-2015-8126 and CVE-2016-0483). It is very important to understand that a CVSS score of 10 implies that confidentiality, integrity and availability can be completely compromised through the exploitation of these vulnerabilities.

Most of the business critical applications use Java with Web-based content and enterprise software components in Java. Oracle published that 97% of Enterprise Desktops Run Java.

Common Vulnerabilities and Exposures with CVSS 10

  • CVE-2016-0451; 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C): Oracle Golden Gate component allows a remote attacker to execute remote exploits without authentication which affects confidentiality, integrity and availability.
  • CVE-2016-0452; 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C): Oracle Golden Gate component allows a remote attacker to execute remote exploits without authentication and affects confidentiality, integrity and availability.
  • CVE-2016-0494; 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C): An integer assigned issue was found in the font parsing code in the 2D component in OpenJDK. A customized font file could possibly cause the Java Virtual Machine to execute arbitrary code, allowing an untrustworthy Java application or applet to bypass Java sandbox restrictions.
  • CVE-2015-8126; 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C): Multiple buffer overflows in the png_set_PLTE and png_get_PLTE functions in libpng allow a remote attacker to cause a denial of service attack, or to possibly have an unspecified impact via a small bit-depth value in an IHDR chunk in a PNG image.
  • CVE-2016-0483; 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C): An out-of-bounds write flaw was found in the JPEG image format decoder in the AWT component in OpenJDK. A custom JPEG image could cause a Java application to crash or, possibly execute arbitrary code. An untrustworthy Java application or applet could use this flaw to bypass Java sandbox restrictions.

The Oracle Critical Patch Updates are available at: http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html. Stay tuned for our upcoming Critical Security Update’s scheduled for:

  • April 19, 2016
  • July 19, 2016
  • October 18, 2016
  • January 17, 2017