Oracle drops 299-patch security update - 25 of them rated 10 out of 10 by CVSS

Shadow Brokers, the NSA and others have kept Oracle busy this year

Oracle has dropped a hefty 299-patch security update overnight to fix a slew of vulnerabilities across a wide range of the company's software. And 25 of the patches are intended to fix security flaws rated at 10 out of 10 for criticality by the Common Vulnerability Scoring System (CVSS).

The series of patches breaks the company's previous record release - a mere 276 in July 2016 - but reflects a growth in the number of vulnerabilities that Oracle is being forced to patch: up from just 78 in January 2012, to more than 250 per quarter over the past year.

Furthermore, on the patches for 25 vulnerabilities rated 10 out of 10 by CVSS, a further 15 were rated critical.

Forty-seven of the patches are intended to fix financial services applications, while 39 are intended to fix vulnerabilities in the widely used open-source database MySQL.

One of the fixes for the Solaris operating system was highlighted by the recent Shadow Brokers release of hacking tools linked to the US National Security Agency.

A total of 39 are intended to fix vulnerabilities in retail applications, fixes that may go back to last year's serious breach of the company's MICROS retail systems unit - and Oracle isn't the only retail systems vendor that has been targeted.

Moreover, the release includes patches to fix vulnerabilities across the whole range of Oracle enterprise resource planning (ERP) software applications - PeopleSoft, E-Business Suite, JD Edwards, Siebel CRM, Oracle Financial Services, and Oracle Primavera Products Suite, with almost two-thirds of them exploitable remotely without the requirement for credentials.

"Oracle's critical patch update for April 2017 is characterised by the record-setting number of fixes addressing vertical applications. Security issues in Financial Services, Retail, Communications, Utilities, Hospitality, Health Sciences, and Insurance applications total 122 and account for 37% of all patches. Moreover, 61% (75) of them are exploitable remotely," warned ERP software security specialists ERPScan.

It also highlighted some of the most critical of the critical vulnerabilities that the patch-drop should fix:

• Easily exploitable vulnerability in the Solaris component of Oracle Sun Systems Products Suite, which enables an unauthenticated attacker with network access via multiple protocols to compromise Solaris. While the vulnerability is in Solaris, attacks may significantly affect additional products. Successful attacks of this vulnerability can result in takeover of servers running Solaris. This is believed to be the flaw exploited by the hacking tool released by Shadow Brokers earlier this month;
• Easily exploitable vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL that allows an unauthenticated attacker with network access via multiple protocols to compromise MySQL Enterprise Monitor. While the vulnerability is in MySQL Enterprise Monitor, attacks may significantly affect other products;
• Easily exploitable vulnerability in Oracle Financial Services Data Integration Hub that allows an unauthenticated attacker with network access via HTTP to compromise the software and can result in its takeover.

ERPScan also highlighted 10-out-of-10-rated vulnerabilities in Oracle's Flexcube Private Banking software.

Organisations need to patch their enterprise systems as a matter of priority, warned ERPScan chief technology officer Alexander Polyakov, as they are increasingly regarded as more lucrative targets for the most sophisticated cyber crime gangs than individuals.

"Nowadays, hackers set their eyes on enterprises more than on individuals, as they understand that they are more profitable targets. Taking into account that Oracle's products are installed in the largest enterprises, these applications can be their ultimate target.

"The good news is that the vendor drew attention to this critical area before a serious data breach happened. The bad news is that Oracle admins will have a lot of work to do installing numerous patches."

Join Computing in London on 4 May for the Cyber Security Strategy Briefing 2017 for the Financial Sector.

Speakers include Adam Koleda, IT director of insurance firm BPL Global; Peter Agathangelou, associate director of Hamilton Fraser Insurance; and, Dr Kuan Hon, consultant lawyer at law firm Pinsent Masons.

Attendance is free to qualifying IT professionals and IT leaders - register now!