One eye-opening stat from a recent IDC survey of 430 IT decision makers revealed that 64% of organizations had an ERP system breach in the last 24 months. This survey highlights that the concern surrounding critical vulnerabilities of ERP systems is well justified. In this context, Oracle’s 2019 third quarter Critical Patch Update (security patches) released on October 15th is no surprise with many new vulnerabilities in its ERP offerings.
Highlights of 2019 Q3 CPU
In this CPU release, Oracle has ten patches for the Oracle E-Business Suite (EBS), all of which are remotely exploitable over a network without needing a username or password. These include vulnerabilities with Oracle Marketing, Field Service and the iStore. The Way Oracle Works (the WoW) is that regardless of whether or not you are using the modules with these security bugs, you are still vulnerable because all Oracle EBS customers run the same code base.
It is highly recommended that all organizations using Oracle EBS should apply the latest CPU as soon as possible. Keep in mind that Oracle security patches are cumulative, so you only need to apply the Q3 2019 CPU patch to get current (all previous security patches). Also, note that the patch is a bundle—you cannot patch any of the ten vulnerabilities individually.
Beyond the applications, there are numerous serious vulnerabilities in the supporting technologies such as the database, WebLogic, OBIEE and the SOA Suite.
The October CPU has ten security patches for the database, two of which are remotely exploitable. One of these two is with the Java Virtual Machine (VM) within the database itself. All ten database vulnerabilities are with EBS certified versions of the database. This means that depending on what version of the database you are using, you need to pay serious attention to these patches as well to keep your EBS environment secure.
Additionally, there are 37 new security patches for Oracle Fusion Middleware. As Fusion includes WebLogic which is the “front door” of the Oracle EBS, it also includes OBIEE, BI Publisher, Forms as well as the API Gateway and the SOA Suite. All Oracle EBS clients use both BI Publisher and Forms, all 12.2 clients use WebLogic. This means that all Oracle EBS customers, regardless of versions need to prioritize the application of these Fusion Middleware patches—especially given the fact that 31 of the 27 Fusion Middleware vulnerabilities are remotely exploitable.
Remember the stat at the beginning of this blog, 64% of organizations had an ERP system breach in the past 24 months. Pretty shocking, right? And, where does your organization’s most important business assets reside? Your ERP systems. Prioritize applying these patches and don’t become a contributor to this stat.