Oracle has shipped 237 patches for vulnerabilities impacting hundreds of product versions as part of its latest quarterly critical patch update.
Product lines coming in for some of the most fixes include Oracle Financial Services Applications, with 34, Fusion Middleware with 27, MySQL with 25 and Java SE with 21. In many cases, the vulnerabilities can be exploited remotely by an attacker, without need for user credentials.
As always, Oracle is urging customers to apply patches as soon as possible, saying it regularly receives reports of attackers continuing to exploit weaknesses for which it already shipped a fix.
To that end, SANS Technology Institute researchers recently reported on an incident wherein hackers used the Monero miner to attack Oracle WebLogic Server and PeopleSoft installations, generating some $226,000 in crypto currency in the process. A patch for the vulnerability, which allows an attacker to perform remote execution commands in WebLogic instances, had already been released in October but apparently wasn’t applied to the affected installations.
The Monero attack prompted researchers at SAP and Oracle security vendor Onapsis to see whether other Oracle applications, which hold troves of critical business information, could be affected in a similar manner. They discovered that was indeed the case with Oracle E-Business Suite, according to an Onapsis Security Blog:
“Once properly executed, the exploit gives the attacker full operating system command, with a high privileged user (APPLMGR), so several attacks can be performed that can affect all confidentiality, integrity and availability of information,” according to the post.
A successful attacker would gain access to a remote console, allowing them to install malicious code, whether it be cryptocurrency miners, rootkits or ransomware, Onapsis said.
Meanwhile, the latest critical patch update includes seven fixes for E-Business Suite. Onapsis says it found and reported two of the vulnerabilities, which have a CVSS score of 9.1. The potential for damage to enterprise systems regarding these is severe, Onapsis writes:
“[A]n attacker could execute an arbitrary query in the database to get information such as credit cards, customer information, supplier information, etc. Affecting the integrity, an attacker could modify invoice prices in the database and, regarding availability, could be affected by removing some configuration table or executing a procedure that could cause the database corruption.”
The Monero attackers and those like them may not be cognizant of what information may be on the servers they exploit for cryptocurrency mining; rather, less experienced ones are just looking for compute power to exploit, said Onapsis head of research Sebastian Bortnik in an interview. “They know they are in a gold mine, but they’re not fully aware of which types of servers they are using,” Bortnik said.
That hardly means enterprises should rest easy. A ransomware attack that compromises critical data stores would likely cost enterprise much more than $226,000, he said. Then there are the prospects of thieves selling corporate data for competitive intelligence and other means, Bortnik added.