60 per cent of fixes in Oracle's October CPU were aimed at business-critical apps

Oracle has closed 1,119 issues in the first 10 months of 2017; 22 per cent more than all of 2016

Oracle has fixed a security vulnerability in its PeopleSoft business application rated 9.8/10 for criticality by the Common Vulnerability Scoring System (CVSS), in its October Critical Patch Update (CPU).

The Remote Command Execution vulnerability enabled a malicious user to gain full remote access to all the data in the PeopleSoft system. The vulnerability was found in the core platform, meaning that every PeopleSoft system is affected. ERPScan founder and CTO Alexander Polyakov notes, "These systems store the most critical user data such as SSNs, bank account numbers, and other personal information, which is subject to GDPR compliance."

Oracle issued 23 fixes for PeopleSoft this month; 13 of which can be exploited over the network without entering user credentials. There have been 76 PeopleSoft fixes this year, compared to 29 in 2015 and 44 last year.

In total, Oracle's October CPU contained 252 fixes, on par with this time last year, but lower than the 300+ fixes in the April and July CPUs. Nevertheless, Oracle has deployed more than 1,100 fixes this year: more than a 20 per cent YoY increase from 914 in 2016.

62 per cent of the patches in the CPU (155) were applied to business-critical applications, including PeopleSoft (23), E-Business Suite (26) and Fusion Middleware (40). ERPScan reports that around 71 per cent of them can be exploited remotely.

Three of the CPU (two for Oracle Hospitality Reporting and Analytics and one for Siebel Apps - Field Service) fixes were rated 10/10 and two (Oracle Hospitality Cruise AffairWhere and Oracle Hospitality Reporting and Analytics) 9.9/10.