Oracle users, steel yourselves: a mammoth quarterly Oracle patch update landing tomorrow addresses a record 433 new security vulnerabilities, many of which affect multiple products. Hundreds of them are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.
“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible”, the company said in a boilerplate announcement. Users may want to take this one seriously.
CVSS scores for the security bugs include some rated the maximum 10.0, meaning they are easy to exploit and give an attacker extensive privileges, and numerous 9.8-rated vulnerabilities affecting everything from MySQL through to a huge 38 new security patches for Oracle Financial Services Applications, more than half of which are — worryingly — remotely exploitable without authentication, Oracle said.
The Oracle patch update comes as part of its standard quarterly cycle. It is the highest number of patches pushed out on a single day by the software giant that Computer Business Review has seen, tracking back to January 2015.
Segregation of Duties, access controls, web application firewalls and other traditional security products are not capable of preventing or detecting unauthenticated exploits on the BigDebIT vulnerabilities because they do not require a user name or password.
Oracle Patch Update: What to Look Out For
The patches land tomorrow (July 14, 2020). Here are where the critical vulnerabilities sit, however, as excerpted from Oracle’s pre-release guidance.
Oracle Communications Applications
- Security patches: 58
- Maximum CVSS score: 10.0
- Remotely exploitable without authentication: 45
Oracle Construction and Engineering
- Security patches: 20
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 15
Oracle E-Business Suite
- Security patches: 29
- Maximum CVSS score: 9.1
- Remotely exploitable without authentication: 23
Oracle Enterprise Manager.
- Security patches: 14
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 10
Oracle Financial Services Applications.
- Security patches: 38
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 26
Oracle Fusion Middleware.
- Security patches: 53
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 49
Oracle JD Edwards.
- Security patches: 6
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 6
Oracle MySQL.
- Security patches: 40
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 6
Oracle Retail Applications.
- Security patches: 39
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 34
Oracle Siebel CRM.
- Security patches: 5
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 5
Oracle Supply Chain.
- Security patches: 22
- Maximum CVSS score: 9.8
- Remotely exploitable without authentication: 18
Oracle Database Server.
- Security patches: 20
- Maximum CVSS score: 8.8
- Remotely exploitable without authentication: 1
Oracle GoldenGate
- Security patches: 3
- Maximum CVSS score: 9.6
- Remotely exploitable without authentication: 1
While business leaders may be tempted to delay patching, persistently doing so is among the leading causes of cyber attacks. As the FBI warned last month, with an eye to US businesses (the same principle applies in the UK): “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.”
For those noticing low levels of hype around Oracle vulnerabilities in general and assuming that exploits are too challenging, research published in June by security firm Onapsis showcased how two vulnerabilities (dubbed “BigDebIT“) with CVSS scores of 9.9 out of 10 in E-Business Suite – Oracle’s ERP software deployed at more than 21,000 companies — could be used by an unauthenticated hacker to perform an automated exploit on the General Ledger module. The now-patched bugs could be used to extract assets from a company (such as cash) and modify accounting tables.
See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign