Oracle Patches Record 334 Vulnerabilities in July 18
19.7.18 securityweek Vulnerebility
Oracle Patches Over 200 Remotely Exploitable Vulnerabilities in July 18 Critical Patch Update
Oracle this week released its July 18 set of patches to address a total of 334 security vulnerabilities, the largest number of flaws resolved with a Critical Patch Update (CPU) to date. Over 200 of the bugs may be remotely exploitable without authentication.
This month, 23 products from the enterprise security giant were patched, including E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Java SE, MySQL, PeopleSoft Products, Retail Applications, Siebel CRM, and the Sun Systems Products Suite.
More than 50 of the flaws addressed this month had a CVSS 3.0 Base Score of 9.8. Overall, 61 security bugs had a CVSS score of 9.0 or above, according to Oracle’s advisory.
A total of 203 vulnerabilities were patched in business-critical applications, around 65% of which could be exploited remotely without entering credentials, ERPScan, a company that specializes in securing Oracle and SAP applications, points out.
This month, Financial Services Applications received the largest number of fixes, at 56. 21 of these vulnerabilities may be remotely exploitable without authentication.
Fusion Middleware received the second largest number of patches, at 44, with 38 of the addressed issues remotely exploitable without authentication.
Next in line are Retail Applications at 31 fixes (26 flaws being remotely exploitable) and MySQL, also with 31 patches (only 7 bugs remotely exploitable), followed by Hospitality Applications with 24 fixes (7 issues remotely exploitable), Sun Systems Products Suite at 22 patches (10 flaws remotely exploitable), and Enterprise Manager Products Suite with 16 fixes (all remotely exploitable without authentication).
Oracle also addressed vulnerabilities in PeopleSoft Products (15 bugs – 11 remotely exploitable without authentication), E-Business Suite (14 flaws – 13 remotely exploitable), Communications Applications (14 – 10), Virtualization (12 – 2), Construction and Engineering Suite (11 – 6), JD Edwards Products (10 – 9), Java SE (8 – 8), and Supply Chain Products Suite (8 – 6).
“On the surface, the downward trend of Java SE patches would appear to be positive,” Apostolos Giannakidis, Security Architect at Waratek, told SecurityWeek. “However, several actions taken to fix Java SE vulnerabilities in the July CPU are likely to break the functionality of certain applications. Application owners who apply binary patches should be extremely cautious and thoroughly test their applications before putting patches into production.”
"The fix for the most critical Java SE vulnerability in the July CPU - CVE-18-2938 - removes the vulnerable component (Java DB) from the JDK," Waratek explained in a guidance note sent to SecurityWeek Wednesday. "Users that depend on this component must manually obtain the latest Apache Derby artifacts and rebuild their applications."
The least impacted products include Utilities Applications (4 vulnerabilities – 3 remotely exploitable without authentication), Policy Automation (3 flaws – all remotely exploitable), and Database Server (3 – 1).
All of the vulnerabilities impacting Hyperion (2 bugs), Insurance Applications (2), Global Lifecycle Management (1), iLearning (1), Siebel CRM (1), and Support Tools (1) may be exploited remotely without authentication.
Some of the most important issues addressed this month could be exploited remotely to take over the impacted application: CVE-2017-15095 in Oracle Spatial, CVE-18-7489 in Global Lifecycle Management OPatchAuto component, CVE-18-2943 in Fusion Middleware MapViewer, CVE-18-2894 in WebLogic Server, and CVE-2017-5645 in PeopleSoft Enterprise FIN Install.
In late June, Oracle announced the availability of patches for new variants of the speculative execution attack methods known as Meltdown and Spectre. The company released the first set of mitigations against Spectre and Meltdown as part of the January 18 CPU.
All Oracle customers are advised to apply the fixes included in Oracle’s Critical Patch Updates without delay, as some of the addressed vulnerabilities are being targeted by malicious actors in live attacks.
“Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches,” the company notes.