Today Oracle released the last Critical Patch Update of the year with 301 vulnerabilities fixed. In 2018 Oracle fixed in total 1,128 vulnerabilities with an average of 282 grouped by CPU. In this report more than the half of the vulnerabilities were directly associated with business -critical applications, specifically 153 of 301.
Applications affected by vulnerabilities that are fixed in this Critical Patch Update are:
- Construction and Engineering
- E-Business Suite
- Financial Services
- Food and Beverage
- Health Sciences
- Java SE
- JD Edwards
- Supply Chain
Oracle E-Business Suite is one of the most important Enterprise Resource Planning (ERP) tools that Oracle has. In this CPU, Oracle recommends to apply the security patches for technology stack components in Oracle E-Business Suite with a new patch. This include Database, Weblogic, Java and Oracle E-Business Suite. There are in total 43 vulnerabilities: 3 for Database, 12 for Weblogic, 12 Java and 16 for Oracle E-Business Suite technology stack components. For step-by-step instructions to implement the patch for Oracle E-Business Suite, the App DBA can download our educational guide: How to Implement an Oracle CPU.
Weblogic is part of Oracle E-Business Suite and it is important to highlight that after the last CPUs were published some exploits were posted online with all the implications. An attacker with minimal skill could use the exploit to attack unpatched systems. In this CPU there are three vulnerabilities with 9.8 CVSS score. In the following paragraph the CVSS score is explained.
Oracle uses CVSS version 3 to measure the impact of each vulnerability where 10 is the most critical vulnerability impact. In this CPU the highest CVSS value is 10.0 for Golden Gate product, which means that an attacker can use the vulnerability remotely to have full compromise of the CIA triad Confidentiality, Integrity and Availability. For Oracle E-Business Suite the highest CVSS is 8.2.
The CVSS also measures the complexity of attack and network accesses. Regarding this, from the total of 176 business-critical application vulnerabilities 114 are remotely exploitable. A vulnerability exploitable with network access means the vulnerable component is bound to the network stack and the attacker's path is through OSI layer 3 (the network layer). Such a vulnerability is often termed "remotely exploitable" and can be thought of as an attack being exploitable one or more network hops away (e.g. across layer 3 boundaries from routers).
The following graph shows the vulnerabilities number and percentage patched by Oracle for each business-critical application.
Onapsis at Oracle OpenWorld 2018
Oracle OpenWorld is one of the most important conferences in our industry. This year we have the pleasure to present six different sessions at Oracle OpenWorld. If you are planning to attend, don’t miss our sessions. Onapsis will be onsite to provide you with actionable information regarding your Oracle EBS application security so you can walk out of the conference with next steps to secure your organization’s crown jewels. Visit booth #1928 to see live demos of the Onapsis Security Platform and learn about the increasing threat landscape for Oracle EBS applications. View all of our sessions here.