Oracle Patches Vulnerabilities

Friday, October 20, 2017 @ 12:10 PM gHale


Oracle released its Critical Patch Update (CPU) for October this week to fix 252 vulnerabilities.

The most affected Oracle products this month include Fusion Middleware, Hospitality Applications, E-Business Suite, MySQL, PeopleSoft Products, Communications Applications and Java SE.

RELATED STORIES
Oracle Addresses Apache Struts Flaw
Oracle Moves to Boost Cloud Security
Misconfigured Port Opens Door to Attackers
Black Hat: ICS Security Movement

For this year, Oracle fixed 1,119 vulnerabilities in its products, which was a 22 percent hike over last year.

Of the 252 vulnerabilities addressed in this CPU, 182, or 72 percent of the total, directly affect business-critical applications.

The most critical vulnerabilities addressed this month affect Hospitality Reporting and Analytics, Siebel Apps, and Hospitality Cruise AffairWhere and feature CVSS Base Scores of 10.0 or 9.9. By exploiting these issues, an attacker could either take over the application or hang or frequently crash (complete denial of service) the application.

Of the 26 issues patched in Oracle E-Business Suite, 21 were assessed as high risk, two as low, and three received no severity rating.

Affecting Oracle EBS versions 12.1 and 12.2, the flaws could be abused over a network without any username and password credentials. By exploiting the vulnerabilities, an attacker could potentially gain access to and modify critical documents and information, including credit card data, customer information, HR documents, and financial records, researchers said.

Oracle EBS is one of the most critical applications used by large organizations in enterprise resource planning (ERP), customer relationship management (CRM), supply chain management (SCM), finance management, human capital management, procurement and many others.

Last month, Oracle released patches to address vulnerabilities in the Apache Struts 2 framework, including CVE-2017-9805, a flaw leveraged by attackers. Some of the affected Oracle products included MySQL Enterprise Monitor, Communications Policy Management, FLEXCUBE Private Banking, Retail XBRi, Siebel, WebLogic Server, and various Financial Services and Insurance products.



Leave a Reply

You must be logged in to post a comment.