Oracle Fixes 253 Vulnerabilities in Last CPU of 2016

Oracle fixed 253 vulnerabilities across 76 different products with its quarterly Critical Patch Update.

Oracle fixed 253 vulnerabilities across 76 product lines on Tuesday as part of its quarterly Critical Patch Update. Many of the fixes addressed by Oracle tackled vulnerabilities tied to securing critical enterprise data.

Vulnerabilities in Oracle Fusion Middleware, a family of infrastructure products the company develops, are some of the most pressing. The update addresses 29 vulnerabilities in the software, 19 of which can be exploited remotely without authentication. Five of those vulnerabilities fetch a CVSS score of 9.8, the highest rating any vulnerabilities fixed this time around garnered.

Each of the vulnerabilities could lead to the takeover of components in the affected software, in this case Oracle Big Data Discovery and Oracle WebLogic Server.

In addition to Fusion Middleware, three other vulnerabilities, in Oracle’s Commerce Platform, and two retail apps – its Retail Customer Insights, and Retail Merchandising Insights – also contained critical, remotely exploitable vulnerabilities.

While Fusion Middleware may have had the most critical vulnerabilities it didn’t have the most overall. Oracle’s Communications Applications, which had 36 vulnerabilities, 31 of which were remotely exploitable, and Oracle’s MySQL, which had 31 vulnerabilities, two which were remotely exploitable, were the most patched pieces of software on Tuesday.

Java, Oracle’s perennial whipping boy, didn’t emerge this quarter unscathed either. Tuesday’s update fixed seven vulnerabilities in Java SE, all which can be remotely exploited without authentication, three of which carry a CVSS of 9.6.

The oldest bug, CVE-2010-5312, dates back to 2010 and exists in Application Express, a component in Oracle’s Database Server. That vulnerability, along with the 11 others fixed in Database Server, should also be on an end users’ CPU docket, an expert warned.

“Administrators should plan on patching for CVE-2016-6304, CVE-2016-5598 and CVE-2010-5312 as they are remotely exploitable and attackers can use them after compromising another system on the network,” Amol Sarwarte, the director of Vulnerability Labs at Qualys, wrote on the company’s blog Tuesday.

Elsewhere, analysts with ERPScan, a firm that conducts audits on Oracle systems, are encouraging end users to pay attention to vulnerabilities patched in Oracle’s E-Business Suite, especially one that stems from the way OpenSSL is implemented in Oracle HTTP Server.

“The vulnerability is assessed as critical and, according to Oracle’s advisory, allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, which can result in complete DoS of the component,” Darya Maenkova, an analyst at the firm told Threatpost Tuesday.

“ERPScan researchers conducted a Shodan scan and revealed that approximately 15,000 Oracle HTTP servers are exposed to the Internet,” Maenkova said.

Per usual, noted Oracle bug hunter David Litchfield uncovered a handful of the vulnerabilities fixed this week.

Four of the vulnerabilities he found were of the SQL injection variety and existed in e-Business Suite 12.x and 11.x. The bugs, in utilities owned by both SYS and SYSTEM users, could lead to SQL execution, Litchfield warned in a .PDF document around the bugs published Wednesday.

E-Business Suite, the main business software made by the company, is usually flush with sensitive processes and key data, meaning a compromise could lead to the theft of business critical information.

Litchfield, a security engineer at Google, described earlier this summer how he found a litany of vulnerabilities, 50 in a week – including cross-site scripting bugs and SQL injections, in the platform at Black Hat.

“It’s a rich source of vulnerabilities,” Litchfield said during his talk, “There’s a lot of juicy stuff an attacker would look at and like to break in.”

Oracle’s products figure into almost countless business implementations worldwide. When Bangladesh Bank’s SWIFT payment system was compromised in February, researchers at Bae Systems said malware was operating in an Oracle-powered environment running SWIFT’s software. Litchfield said at DEFCON in 2011 that an Oracle database hack was to blame for the Sony Playstation Network outage that April.

With this week’s update, the last of 2016, Oracle has fixed almost 1,000 vulnerabilities, 913 in total, in its products this year. Almost every update contained more than 200 fixes, almost twice the average number of fixes, 110, pushed out by the company from 2011 to 2015.

Tuesday’s update is the second largest issued by the company. Oracle set the record when it released its last CPU, fixing 276 vulnerabilities, in July this past summer.

Suggested articles