Oracle is urging customers to patch critical vulnerabilities in its products as part of its massive April update, which fixes a whopping 297 flaws.
Of those flaws, 53 vulnerabilities in Oracle products had a CVSS score of 9.0 or higher, making them “critical” severity – and in fact, 49 of those critical flaws had a CVSS score of 9.8. Products with the most vulnerabilities as part of this quarterly patch include the Oracle Fusion Middleware, the Oracle E-Business Suite and Oracle MySQL.
Oracle recommends that its customers update as soon as possible as many of the vulnerabilities are critical and could be exploited remotely without authentication.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes,” according to the company’s Wednesday advisory. “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply critical patch update fixes without delay.”
Oracle Fusion Middleware, its digital business platform for the enterprise and the cloud, had the most vulnerabilities, with 53 flaws patched. Forty-two of those flaws could be remotely exploitable without authentication, Oracle said, meaning they may be exploited over a network without requiring user credentials.
Up to 14 of the flaws in Fusion Middleware had a CVSS score of 9.8, making them critical. That includes a critical remote code-execution flaw (CVE-2016-1000031) in Fusion Middleware that impacts the Oracle API Gateway, and a stack-based buffer overflow flaw (CVE-2019-3822) in Oracle HTTP Server.
Oracle E-Business Suite, its integrated set of business applications that includes supply-chain management and resource-planning tools, has 35 vulnerabilities; 33 of which could be remotely exploitable without authentication.
That includes a vulnerability (CVE-2019-2663) that has a CVSS base score of 8.2. The flaw if exploited allows unauthenticated attacker with network access via HTTP to compromise Oracle Advanced Outbound Telephony.
“Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Advanced Outbound Telephony-accessible data as well as unauthorized update, insert or delete access to some of Oracle Advanced Outbound Telephony accessible data,” according to Oracle.
MySQL, Oracle’s open-source relational database management system, meanwhile has 45 vulnerabilities, four of which may be remotely exploitable without authentication. The highest severity of the MySQL vulnerabilities has a CVSS score of 7.5, according to Oracle.
Other products that were riddled with vulnerabilities Oracle Communications Applications, which had 26 new security fixes (19 of which could be remotely exploitable without authentication); Oracle Retail Applications, which had 24 security fixes (20 of which could be exploited remotely without authentication); and Oracle Virtualization which had 15 security flaws (three of which were remotely exploitable without authentication).
Other impacted products in the advisory include Oracle Enterprise Manager, Oracle’s Banking Platform and Oracle Supply Chain Products.
“One thing that has always stood out to me is the number of vulnerabilities in Oracle software that are remotely exploitable without authentication,” Chris Goettl, director of product management for security at Ivanti, told Threatpost. This is the type of vulnerability a threat actor is going to use to possibly gain a foothold in your environment, but more often to move around your network very easily.”
Goettl told Threatpost that remotely exploitable vulnerabilities are “low-hanging fruit for an attacker.”
“They can utilize them without having to target a user, which is also a bonus since many of the Oracle products are running on servers where targeting a user is often not an option,” he said. “They also know companies struggle to keep products like Java, Fusion Middleware, PeopleSoft and more up to date because of breaking changes and business constraints. This means they get a long life out of exploits they acquire or develop.”
Oracle’s last critical patch update, in January, issued slightly fewer fixes, patching 284 vulnerabilities.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.