CIO

Oracle’s monster update emphasizes flaws in critical business applications

Oracle hasn’t been “just” a database company in a long time, and nowhere is that more evident than in its quarterly critical patch update release, where the bulk of the fixes are in business applications like PeopleSoft and E-Business Suite.
IDG

IDG

Recent global malware outbreaks WannaCry and NotPetya exposed how much enterprises struggle with patching. Staying current with the latest security patches involves testing, preparing and deploying the updates and enterprises are lagging behind as each product has its own update schedule.

It is easy to wag fingers about how it shouldn't take IT more than 60 days to deploy an update, but consider the current workload. On top of the regularly scheduled monthly updates from Microsoft and Adobe, some organizations may need to deal with the latest Cisco patches. Organizations are still working on closing the SMB vulnerability, especially the out-of-network updates for Windows XP and other unsupported systems. Enterprises with iOS devices need to prioritize the latest update to address a serious security flaw in its WiFi chip.

Then there is Oracle’s gargantuan Critical Patch Update (CPU), which fixed a whopping 308 vulnerabilities across its entire product portfolio. Over half, or 168, of the fixes address vulnerabilities that could be remotely exploited without needing any kind of user authentication.

“For the second time this year, the latest Oracle patch release has reinforced the accelerating challenges cybersecurity teams face in keeping pace with software flaws and the malicious hackers that exploit them,” said John Matthew Holy, CTO of Waratek.

Databases aren’t the focus

On the July CPU, 27 of the vulnerabilities fixed would be rated as critical, as they have a CVSS base score between 9.0 and 10.0. The most critical vulnerability, with the CVSS score of 10.0 was in the Oracle WebLogic Server component of Oracle Fusion Middleware (the JNDI subcomponent). An unauthenticated attacker with network access via HTTP could compromise and take over Oracle WebLogic Server 10.3.6.0 and 12.1.3.0. “While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products,” ERPscan said in its analysis.

Security holes in Java tend to have wide-ranging impact, as they can pop up in other applications. The latest CPU fixed 32 vulnerabilities in Java, of which 28 were remotely exploitable without authentication. Three Java SE, Java SE Embedded and JRockit vulnerabilities were considered critical, with a CVSS base score of at least 9.0. All affect multiple versions of the respective software.

Oracle may be perceived as the “database company,” but its flagship product Oracle Database Server hasn’t been a major focus of the CPU in years, and that remains the case even with this monster update. The giant released only five patches for Oracle Database Server, three of which are remotely exploitable in the Oracle Secure Backup and Oracle Big Data Graph components included with the server. The CPU had 30 patches for MySQL, the database Oracle acquired as part of its 2009 Sun acquisition, of which nine were remotely exploitable without authentication.

That’s not to say there are no serious bugs left in the databases. Two of the three most critical vulnerabilities fixed in the CPU were in Oracle Database Server and MySQL. The vulnerability in the OJVM component (CVE-2017-10202) in Oracle Database Server 11.2.0.4, 12.1.0.2, 12.2.0.1  has a CVSS base score of 9.9. A low privileged attacker with “Create Session, Create Procedure” privilege who has remote access to the database over multiple protocols can compromise and take over the OJVM.

[Related: Oracle fixes Struts and Shadow Brokers exploits in huge patch release]

The third most critical flaw, with a CVSS base score of 9.8, is in the Monitor: General (Apache Struts 2) subcomponent in the MySQL Enterprise Monitor component of MySQL 3.1.5.7958 and earlier, 3.2.5.1141 and earlier, and 3.3.2.1162 and earlier. The vulnerability can be exploited by an unauthenticated attacker with network access via HTTP over TLS to compromise MySQL Enterprise Monitor.

Vulnerabilities in business applications

So far in 2017, Oracle has patched 878 vulnerabilities across nearly two dozen product suites. Nearly two-thirds of the suites patched in this CPU are business critical applications, including the Oracle Hospitality Suite, Oracle E-Business Suite and Oracle PeopleSoft. Considering the breadth of Oracle’s portfolio, the updates impact a large number of enterprise applications and data, making the process of testing and deploying patches even more of a challenge.

Oracle fixed 120 vulnerabilities in Oracle E-Business Suite, of which 118 are remotely exploitable. Security company Onapsis said the critical information disclosure (CVE-2017-10244) flaw, if exploited, would let attackers download business documents and configuration files without needing valid user credentials. Attackers can find exposed vulnerable Oracle EBS systems using Shodan and send carefully crafted requests using specific parameters to bypass authentication. All the business documents that were attached by users across different EBS modules, regardless of format, can be downloaded using a single HTTP request.

Oracle EBS versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are affected. “This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Onapsis CTO Juan Perez-Etchegoyen.

Considering the suite includes applications that handle CRM, financials, service and supply chain management, and procurement, among other critical business functions, impacted documents include invoices, resumes from potential job candidates, design documents, customer information, financial reports and others containing personal identifiable information (PII).

 “Finally, depending on the industry, the exposure of these documents could lead to costly compliance violations with SOX, PCI-DSS, NIST, PII and SPI Privacy Laws, to name a few,” ERPscan’s Matias Mevied said.

ERPscan said the number of issues fixed in Oracle PeopleSoft, which includes PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management, during this single update was “alarming.” For comparison, Oracle fixed 44 issues in PeopleSoft in all of 2016. Of the 30 vulnerabilities in PeopleSoft, 20 could be exploited over the network without requiring user credentials. More than 1,000 PeopleSoft applications are exposed to the Internet, making this another juicy target for attackers.

[Related: Oracle patches raft of vulnerabilities in business applications]

It is only recently that researchers have started digging into business applications such as Oracle EBS and PeopleSoft. They weren’t originally built with security in mind and are typically not covered under traditional IT and security defenses. Considering the critical nature of these applications, securing these applications get tougher when downtime isn’t an option.

Not patching, or delaying, isn’t an option

Attackers don’t bother with zero-day vulnerabilities when they can exploit flaws that have been disclosed publicly. Just because a patch is available doesn’t mean the software has been updated. Consider that the WannaCry ransomware worm easily spread globally because of the number of Windows systems that had not yet been updated with the security update. Security teams are overburdened and under-resourced; they cannot apply physical patches fast enough to stay ahead of the attackers. But these applications need to be updated—they contain too many critical pieces of information to risk having them open to attack.