118 out of 121 Oracle E-Business suite vulnerabilities "remotely exploitable"

Oracle: Can't break it, can't break in - these 270 security vulnerabilities notwithstanding

Oracle has released a massive critical patch update covering a total of 270 new security vulnerabilities, with Oracle E-Business Suite the focus of 121 of them.

The quarterly Critical Patch Update Advisory for January 2017, second only to July's patch update in terms of the sheer number of patches, was released overnight, with the advice that "due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible".

Indeed, according to ERP security specialists ERPScan, 118 of the 121 vulnerabilities in the Oracle E-Business Suite the patches address "may be remotely exploitable without authentication".

The ERP system vulnerabilities cover not just the Oracle E-Business Suite, but also Oracle PeopleSoft, Oracle Retail Applications, Oracle JD Edwards, and Oracle Supply Chain products, as well as Oracle Database Server, Oracle Fusion Middleware, Oracle Tuxedo, Oracle WebLogic Server, MySQL, Solaris 11.3, and MICROS retail systems - among others.

Even Oracle banking software isn't immune from the patch onslaught.

The most critical involve Primavera P6 Enterprise Project Portfolio Management, Oracle WebLogic Server, PeopleSoft Enterprise PeopleTools, JD Edwards EnterpriseOne Tools and Enterprise Manager Base Platform, according to ERPScan.

The company also warned that its enterprise software has increasingly become the focus of attacks, and that it has also received reports of successful attacks exploiting vulnerabilities that the company has already patched, but which customers haven't applied.

"Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes," warned the advisory.

It continued: "In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay."

However, ERPScan suggested that part of the reason for the surge in number of Oracle patches, particularly for E-Business Suite, was simply the level of interest in it from security researchers.

"We can assume that Oracle EBS attracted third-party researchers attention, which resulted in the huge number of the vulnerabilities. For example, the surge of interest to SAP solutions in 2010 led to the skyrocketing number of the identified security issues (834 in 2010 vs. 131 in 2009). So, as a rule of thumb, when security researchers focus on an application, they will find security issues for sure," suggested ERPScan.