Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.
Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.
Of the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).
“While all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,” said JP Perez-Etchegoyen, CTO of Onapsis.
Onapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.
Perez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business’ enterprise resource planning, supply chain management or finance management systems.
“These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,” Perez-Etchegoyen said.
Onapsis said vulnerabilities found in Oracle’s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.
The patches come just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the recent Equifax breach.
Last month, Oracle used an advisory as an opportunity to remind users that in April it fixed the Struts vulnerability (CVE-2017-5638) which was behind Equifax’s massive breach of 143 million Americans,
Organizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.
Citing a recent Ponemon Research study, Perez-Etchegoyen said fewer than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.
Also part of Oracle’s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.
Impacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.
Oracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.