View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
July 13, 2020updated 14 Jul 2020 3:47pm

Businesses Running Oracle: Get Ready for a Massive, Critical Patching Session

Business leaders be warned: some serious patching is needed

By CBR Staff Writer

Oracle users, steel yourselves: a mammoth quarterly Oracle patch update landing tomorrow addresses a record 433 new security vulnerabilities, many of which affect multiple products. Hundreds of them are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible”, the company said in a boilerplate announcement. Users may want to take this one seriously.

CVSS scores for the security bugs include some rated the maximum 10.0, meaning they are easy to exploit and give an attacker extensive privileges, and numerous 9.8-rated vulnerabilities affecting everything from MySQL through to a huge 38 new security patches for Oracle Financial Services Applications, more than half of which are — worryingly — remotely exploitable without authentication, Oracle said.

The Oracle patch update comes as part of its standard quarterly cycle. It is the highest number of patches pushed out on a single day by the software giant that Computer Business Review has seen, tracking back to January 2015.

Segregation of Duties, access controls, web application firewalls and other traditional security products are not capable of preventing or detecting unauthenticated exploits on the BigDebIT vulnerabilities because they do not require a user name or password.

Oracle Patch Update: What to Look Out For

The patches land tomorrow (July 14, 2020). Here are where the critical vulnerabilities sit, however, as excerpted from Oracle’s pre-release guidance.

Oracle Communications Applications

Content from our partners
Five key challenges facing the fashion industry
<strong>How to get the best of both worlds in the hybrid cloud</strong>
The key to good corporate cybersecurity is defence in depth
  • Security patches: 58
  • Maximum CVSS score: 10.0
  • Remotely exploitable without authentication: 45

Oracle Construction and Engineering

  • Security patches: 20
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 15

Oracle E-Business Suite

  • Security patches: 29
  • Maximum CVSS score: 9.1
  • Remotely exploitable without authentication: 23

Oracle Enterprise Manager.

  • Security patches: 14
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 10

Oracle Financial Services Applications. 

  • Security patches: 38
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 26

Oracle Fusion Middleware.

  • Security patches: 53
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 49

Oracle JD Edwards.

  • Security patches: 6
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle MySQL.

  • Security patches: 40
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle Retail Applications.

  • Security patches: 39
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 34

Oracle Siebel CRM.

  • Security patches: 5
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 5

Oracle Supply Chain.

  • Security patches: 22
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 18

Oracle Database Server.

  • Security patches: 20
  • Maximum CVSS score: 8.8
  • Remotely exploitable without authentication: 1

Oracle GoldenGate 

  • Security patches: 3
  • Maximum CVSS score: 9.6
  • Remotely exploitable without authentication: 1

While business leaders may be tempted to delay patching, persistently doing so is among the leading causes of cyber attacks. As the FBI warned last month, with an eye to US businesses (the same principle applies in the UK): “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.”

For those noticing low levels of hype around Oracle vulnerabilities in general and assuming that exploits are too challenging, research published in June by security firm Onapsis showcased how two vulnerabilities (dubbed “BigDebIT“) with CVSS scores of 9.9 out of 10 in E-Business Suite – Oracle’s ERP software deployed at more than 21,000 companies — could be used by an unauthenticated hacker to perform an automated exploit on the General Ledger module. The now-patched bugs could be used to extract assets from a company (such as cash) and modify accounting tables.

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign

 

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU