This week, Oracle released its second Critical Patch Update (CPU) of the year. Containing 397 new security patches, this is a historical mark for Oracle, as it has never released this many patches on a single patch day since at least 2005. The April CPU release also includes a total of 74 patches for Oracle E-Business Suite (EBS), one of the most used ERP systems in the world. This also represents a high number, the first time since January 2017 that more than 50 patches were released for this platform. In total, this CPU affects 116 products and versions, including 54 different patch availability documents for reading and analysis. Because of this volume, it is very important to have an automated tool to check your installed Oracle software to decrease the manual check-up process—saving time and resources for other activities.
The highest vulnerability for Oracle EBS is the one identified with CVE-2020-2838 with CVSS 8.6 on Oracle CRM Gateway for Mobile Devices products, but only affects an older version: 12.1. While this vulnerability is in Oracle CRM Gateway for Mobile Devices, attacks may significantly impact additional Oracle products.
Among the many fixes released is one reported by the Onapsis Research Labs, and is related to the GL (Oracle General Ledger) in Account Hierarchy Manager components. It is CVE-2020-2750, with CVSS of 7.5. The corresponding CPU fixes an information disclosure bug, which could be used by an attacker to obtain the Database Connect description file. This file contains information needed by the application to connect to the database as the APPS user and could be used by a malicious actor to get full access to the database. The vulnerability is present in the Thin Client Framework and is part of the series of TCF critical vulnerabilities reported by Onapsis in 2019 and 2020. Some of them, the most critical ones, were already explained in the Onapsis PAYDAY Threat Report released in late 2019.
With these previously mentioned vulnerabilities, the associated component is present on all Oracle EBS systems by default. Every Oracle EBS customer that does not apply the April CPU will be vulnerable to this sensitive attack that can compromise the system.
Nevertheless, these are only examples of critical attacks. If an attacker successfully exploits these vulnerabilities, exploitation scenarios may vary, including high compromise of all availability, integrity or confidentiality of the information. All supported versions of Oracle EBS are affected by these patches: 12.1.1-12.1.3 and 12.2.3-12.2.9.
CPU and Oracle EBS in Numbers
In this CPU, Oracle recommends the customer apply the security patches for technology stack components in Oracle EBS, including database and Oracle Fusion Middleware. There are 154 vulnerabilities in total affecting this platform:
- 9 for Database (2 of these vulnerabilities may be remotely exploitable without authentication)
- 56 for Oracle Fusion Middleware (49 of these vulnerabilities may be remotely exploitable without authentication)
- 15 for Java (All of these vulnerabilities may be remotely exploitable without authentication)
- 74 for Oracle EBS technology stack components (71 of these vulnerabilities may be remotely exploitable without authentication)
All 154 vulnerabilities in this CPU affect Oracle EBS directly, in all versions from 12.1 to 12.2.9. This means that it is not enough to have the latest version available. You always need to install the CPU in your stack as well. Do not forget about the Weblogic CPU. It is just as important as the Database and Oracle EBS CPU. A successful attack of some of these vulnerabilities in WebLogic can give access to the WebLogic server, and this server is the same as EBS.
Some additional facts about the April CPU and Oracle EBS:
- According to the FIRST rating scale, this Oracle EBS CPU contains 63 High Risk and 11 Medium Risk vulnerabilities
- 47 vulnerabilities only affect versions 12.1.1 to 12.1.3
- 2 vulnerabilities only affect version 12.2.+
- 25 vulnerabilities affect both versions 12.1 to 12.2
Finally, a reminder that the next CPU will be released on July 14 2020, so you have time to implement and test this CPU before that date. Onapsis recommends you prioritize patching the most critical vulnerabilities first. To implement this CPU for Oracle EBS, you can use this step-by-step guide to implementing Oracle Critical Patch Updates.
Additionally, Onapsis offers a complimentary assessment called a Business Risk Illustration (BRI) Onapsis will assess your Oracle EBS systems to show you where you are vulnerable and at risk with more than 200 checks. It demonstrates the value The Onapsis Platform provides by automating continuous monitoring of Oracle EBS to deliver actionable intelligence, enabling you to prioritize vulnerability remediation.