View all newsletters
Receive our newsletter – data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 13, 2020updated 14 Jul 2020 3:47pm

Businesses Running Oracle: Get Ready for a Massive, Critical Patching Session

Business leaders be warned: some serious patching is needed

By CBR Staff Writer

Oracle users, steel yourselves: a mammoth quarterly Oracle patch update landing tomorrow addresses a record 433 new security vulnerabilities, many of which affect multiple products. Hundreds of them are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible”, the company said in a boilerplate announcement. Users may want to take this one seriously.

CVSS scores for the security bugs include some rated the maximum 10.0, meaning they are easy to exploit and give an attacker extensive privileges, and numerous 9.8-rated vulnerabilities affecting everything from MySQL through to a huge 38 new security patches for Oracle Financial Services Applications, more than half of which are — worryingly — remotely exploitable without authentication, Oracle said.

The Oracle patch update comes as part of its standard quarterly cycle. It is the highest number of patches pushed out on a single day by the software giant that Computer Business Review has seen, tracking back to January 2015.

Segregation of Duties, access controls, web application firewalls and other traditional security products are not capable of preventing or detecting unauthenticated exploits on the BigDebIT vulnerabilities because they do not require a user name or password.

Oracle Patch Update: What to Look Out For

The patches land tomorrow (July 14, 2020). Here are where the critical vulnerabilities sit, however, as excerpted from Oracle’s pre-release guidance.

Oracle Communications Applications

Content from our partners
Incumbent banks must transform at speed, or miss the benefits of open banking
Leverage cloud and expertise to optimise engagements from onboarding to conclusion
How enterprises can best prepare for finance digitalisation
  • Security patches: 58
  • Maximum CVSS score: 10.0
  • Remotely exploitable without authentication: 45

Oracle Construction and Engineering

  • Security patches: 20
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 15

Oracle E-Business Suite

  • Security patches: 29
  • Maximum CVSS score: 9.1
  • Remotely exploitable without authentication: 23

Oracle Enterprise Manager.

  • Security patches: 14
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 10

Oracle Financial Services Applications. 

  • Security patches: 38
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 26

Oracle Fusion Middleware.

  • Security patches: 53
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 49

Oracle JD Edwards.

  • Security patches: 6
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle MySQL.

  • Security patches: 40
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle Retail Applications.

  • Security patches: 39
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 34

Oracle Siebel CRM.

  • Security patches: 5
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 5

Oracle Supply Chain.

  • Security patches: 22
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 18

Oracle Database Server.

  • Security patches: 20
  • Maximum CVSS score: 8.8
  • Remotely exploitable without authentication: 1

Oracle GoldenGate 

  • Security patches: 3
  • Maximum CVSS score: 9.6
  • Remotely exploitable without authentication: 1

While business leaders may be tempted to delay patching, persistently doing so is among the leading causes of cyber attacks. As the FBI warned last month, with an eye to US businesses (the same principle applies in the UK): “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.”

For those noticing low levels of hype around Oracle vulnerabilities in general and assuming that exploits are too challenging, research published in June by security firm Onapsis showcased how two vulnerabilities (dubbed “BigDebIT“) with CVSS scores of 9.9 out of 10 in E-Business Suite – Oracle’s ERP software deployed at more than 21,000 companies — could be used by an unauthenticated hacker to perform an automated exploit on the General Ledger module. The now-patched bugs could be used to extract assets from a company (such as cash) and modify accounting tables.

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign

 

 

Websites in our network
NEWSLETTER Sign up Tick the boxes of the newsletters you would like to receive. Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
I consent to New Statesman Media Group collecting my details provided via this form in accordance with the Privacy Policy
SUBSCRIBED

THANK YOU