Another Record Breaking Oracle CPU - April 2017

Yesterday, Oracle released its quarterly security patches and what a record breaking CPU it was! With close to 300 published patches, this marks the highest number of patches released to date for any CPU. This further validates the trend we have seen in previous CPU’s which is  to correct more vulnerabilities in Oracle products due to increased research submissions targeting different Oracle products.

This is the fourth time in past eight CPUs that Oracle has published such a large number of fixes. This month’s CPU affects 121 different Oracle products and versions. From the 299 patched vulnerabilities, 179 directly affect business-critical applications, representing 63% in total.

The following graph summarizes the Oracle business-critical applications that are affected in this CPU:

  • The bars represent the CVSS average for each Oracle product group.
  • The number inside the bar represents the number of fixes.
  • The point represents the maximum CVSS.

As shown, there are at least 8 products with vulnerabilities above CVSS 9.0 (including 6 with CVSS 10), which are critical. It is very important to apply these specific patches as soon as possible.

Specifically for Oracle E-Business Suite, the most used Oracle ERP product, Oracle fixed 11 vulnerabilities this month. Despite this being a lower number of patched vulnerabilities compared to previous CPU’s, 10 of these vulnerabilities could be exploited remotely, with the most critical scoring a 9.1 in CVSS v3 scoring. This vulnerability affects an Oracle Scripting component in E-Business Suite, and it is defined by Oracle itself as an “easily exploitable vulnerability,” that could lead to unauthorized access to critical data, or even complete access to Oracle Scripting accessible data.

The Onapsis Research Labs reported 4 of the 11 fixes related to Oracle E-Business Suite, which groups 10 different vulnerabilities, all of them related to Cross Site Scripting bugs in multiple parameters. The CVE for these vulnerabilities (as assigned by Oracle) are as follows: CVE-2017-3550, CVE-2017-3393, CVE-2017-3337 and CVE-2017-3432. This patches also correct another set of 6 XSS vulnerabilities that are detailed in the reference section by Oracle.

We will publish the full details of these vulnerabilities in our security advisory documents in concordance with our vulnerability disclosure policy. Oracle measured all Onapsis reported bugs with CVSS v3 as 7.1 score. The following graph shows how E-Business Suite patches (in blue) have evolved among other Oracle patches (in orange) from 2005 to 2017:

Oracle’s next CPU is scheduled for July 18, 2017. Stay tuned, we will be updating and summarizing this info for you here.