Oracle patched 270 vulnerabilities on Tuesday, many remotely exploitable, across 45 different products–including its E-Business Suite, Financial Services software, and MySQL database–as part of its quarterly Critical Patch Update (CPU).
The massive update comes close breaking Oracle’s record-setting July 2015 CPU when it fixed 276 vulnerabilities.
About 40 percent of the issues fixed this week are remotely exploitable without authentication, Oracle warns. The crux of the vulnerabilities exist in Oracle’s E-Business Suite, which had a whopping 118 remotely exploitable bugs, along with Java SE and Fusion Middleware, which both had 16 remotely exploitable bugs apiece.
121 issues in total were fixed in Oracle’s main business software E-Business Suite, or EBS. While the total number of fixes for this quarter’s CPU may have not broken any records, according to ERPScan, a firm that specializes in Oracle and SAP security, the number of fixes to EBS did; it’s the highest number of fixes any one Oracle system has ever received. If exploited, many of the bugs could lead to the theft of key business data, or the manipulation of business critical information, according to Oracle’s risk matrix.
The nastiest issue fixed Tuesday– at least according to its CVSS score (10.0) – is a vulnerability in the company’s cloud-base project management platform, Primavera Products Suite. If exploited the vulnerability can result in the creation, deletion, or modification of critical business data. It can also provide unauthorized access to critical data and open the door to partial denial of service attacks, too, Oracle warns.
According to the company’s risk matrix, the vulnerability is”easily exploitable” and affects a number of versions of the software – 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.
“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera P6 Enterprise Project Portfolio Management. While the vulnerability is in Primavera P6 Enterprise Project Portfolio Management, attacks may significantly impact additional products,” the risk matrix for the vulnerability (CVE-2017-3324) reads.
In addition to the Primavera issue, 18 of the other 270 vulnerabilities fetch a rating of 9.0 and up and should also be prioritized, especially those in Enterprise Manager Grid Control, Oracle’s system management software, Fusion Middleware, and Java SE.
Researchers with ERPScan found two of the vulnerabilities fixed – a cross-site scripting error in Peoplesoft that could have let an attacker use a special HTTP request to hijack session data from admins, and a denial of service issue in OpenJDK.
Researchers with Onapsis Research Labs found a good chunk of the bugs, 102 of the 270. According to Matias Mevied, an Oracle Security Specialist at the firm, all of the the bugs its researchers found were cross-site scripting vulnerabilities. Details on the bugs, other than the fact that some can be exploited with a simple parameter, and others can be exploited with more difficult parameters, are scant however.
In addition to researchers with ERPScan and Onapsis, researchers with Cisco Talos, Tenable Network Security, Red Hat Product Security, along with Google’s Daniel Bleichenbacher and David Litchfield, formerly of Google, are also credited for reporting vulnerabilities fixed in this quarter’s CPU. Oracle thanks researchers but doesn’t attach them to specific CVEs so it’s unclear which researcher found which vulnerability.
While it’s early in 2017 the sheer number of vulnerabilities patched this quarter puts Oracle on pace to break the average number of fixes it pushes per year. In 2015 the average number of vulnerabilities Oracle patched was 153. Last year that figure shot up to 227 vulnerabilities.