Oracle has one-upped itself once again. The company fixed a record 276 vulnerabilities – more than half of which are remotely exploitable – as part of its July Critical Patch Update released Tuesday afternoon.
The quarterly patch update resolves vulnerabilities in 84 different products, including Oracle Database Server, Oracle Fusion Middleware, and Oracle’s E-Business Suite to name a few. The number of fixes exceeds the previous all time high, 248 patches, pushed by Oracle in January and marks more than double the amount of vulnerabilities addressed by the company in its last CPU in April.
Like the April CPU, more than 50 percent of the vulnerabilities, 159 in total, can be exploited remotely without authentication. Oracle Fusion Middleware is the biggest culprit; 35 of the 40 vulnerabilities that affect the software are remotely exploitable.
The company’s E-Business Suite – in which 21 of the 23 vulnerabilities are remotely exploitable – and Oracle Sun Systems Products Suite – in which 21 of the 34 vulnerabilities are remotely exploitable – also merit attention.
Nineteen vulnerabilities across nine different products fetch a CVSS 3.0 rating of 9.8, the most critical vulnerability rating this quarter. While Oracle is encouraging its customers to apply the fixes as soon as possible, users will want to prioritize the update if they’re running one of the nine affected pieces of software: Oracle Fusion Middleware, Supply Chain Products, Oracle Communications Applications, Oracle Health Sciences, Oracle Retail Applications, Oracle Sun Systems Products Suite, and Oracle Virtualization.
All 19 bugs are remotely exploitable without authentication, meaning an attacker wouldn’t need a username or password to exploit them, according to Oracle’s advisory. It wouldn’t be an Oracle CPU without patches for perennial whipping boy Java. This quarter’s update includes 13 patches for Java SE, nine of which are remotely exploitable without authentication. Users running Java SE version(s) 6u115, 7u101, 8u92, or Java SE Embedded, version(s) 8u92, are affected.
Noted researcher David Litchfield, a skilled Oracle bug hunter, uncovered nearly 10 percent of the vulnerabilities, 27 bugs, including a mix of SQL injections, cross-site scripting vulnerabilities, and server-side request forgery attacks. Litchfield outlined the bugs via .PDF documents on Tuesday. Multiple SQLi, XSS, SSRF and more… details for 27 flaws patched in the July 2016 CPU https://t.co/PmEsC8sf4F — David Litchfield (@dlitchfield) July 19, 2016 Among them were a slew of XSS flaws in Oracle Primavera, project management software that’s usually used in industries such as engineering, construction, aerospace and other fields.
Litchfield discovered that via arbitrary HTML/script that doesn’t use parentheses or a .write clause an attacker could bypass a XSS filter designed to protect users against exploitation in the software. One of the scariest sounding vulnerabilities he found exists in Agile, Oracle’s Product Lifecycle Management Database.
The vulnerability could allow a user Index Privileges on SYS tables, something that could allow them to execute as SYS and allow “complete compromise of the database.” Litchfield also described a series of SQL injections in eBusiness Suite, a XSS and SSRF flaw in Apex, and XSS vulnerabilities in Oracle Business Intelligence Enterprise Edition. Considering the sheer number of vulnerabilities, experts on Tuesday said it’s likely admins will have their plates full with this quarter’s patches.
“Oracle systems are complex and multi-component, not speaking about numerous customizations every company usually has,”Alexander Polyakov, CTO at ERPScan, a company that helps companies secure Oracle enterprise resource planning (ERP) systems, “So, Oracle admins should be ready for difficult and time-consuming work of implementing all the patches.”
By Chris Brook