Don't panic! Oracle releases 237 patches fixing 153 vulnerabilities in business-critical applications

Critical flaws in Fusion Middleware, PeopleSoft and MICROS retail applications fixed in Oracle's latest Critical Patch Update

Oracle has released 236 patches in its January Critical Patch Update, with three security flaws rated 9.8 out of 10 for criticality among the many vulnerabilities fixed.

These three flaws affect Fusion Middleware, PeopleSoft and Retail Applications, and organisations running the software have been urged to patch as a matter of urgency before exploits are developed to take advantage of them.

In addition, Oracle has also issued a patch for the MICROS Handheld Terminal - MICROS being the target of particularly sophisticated attacks in 2016, which Oracle remains tight-lipped about.

A successful attack against Oracle E-Business Suite allows an attacker to steal and manipulate business-critical information

The most vulnerable application, according to ERP security specialists ERPScan, is Oracle Financials, with IT departments charged with applying 34 patches this month. "However, not only the number but the criticality of issues is alarming. Thirteen of them can be exploited over the network without entering user credentials," ERPScan warned.

Fusion Middleware and the MySQL open-source database are not far behind with 27 and 25 respectively.

"Between this and the previous Critical Patch Updates, Oracle urgently closed severe issues including a vulnerability dubbed JoltandBleed (CVE 2017-10269)... This vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:

• Oracle PeopleSoft Campus Solutions;
• Oracle PeopleSoft Human Capital Management;
• Oracle PeopleSoft Financial Management; and
• Oracle PeopleSoft Supply Chain Management."

Eight of the 15 fixes for Oracle PeopleSoft can be exploited over a corporate network without requiring user credentials - one of the three vulnerabilities rated at 9.8 out of ten.

Oracle E-Business Suite is Oracle's main business software, for which the company is providing seven patches - four of which can be exploited over a network without credentials.

"A successful attack against Oracle E-Business Suite allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organisation," warned ERPScan, with the most severe vulnerability rated at 9.1 out of 10.

Not only the number but the criticality of issues is alarming. Thirteen of them can be exploited over the network without entering user credentials

The company also highlighted three particular vulnerabilities patched by Oracle this month, all of them described as "easily exploitable". These include patches for:

• Sun ZFS Storage Appliance Kit;
• Oracle WebLogic Server component of Oracle Fusion Middleware;
• Oracle Directory Server Enterprise Edition, where vulnerabilities could result in a takeover of the entire package;
• Oracle Retail Convenience and Fuel POS Software, which features vulnerabilities that could "result in takeover of Oracle Retail Convenience and Fuel POS software"; and,
• PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil.

While 237 patches may sound a lot, that is stretched out over a wide range of applications and is by no means Oracle's busiest month - that was in July 2017, when the company issued 308 patches.

ERPScan, though, notes that the average number of patches issued by Oracle every month has more-or-less doubled in just the past three years.