Oracle’ CPU for January 2017 Facts and figures

Have you already seen the latest Oracle’s Critical Patch Update and are you overwhelmed with the numerous fixes? This is hardly surprising. To somehow help Oracle admins and those who are engaged in patching process, we have prepared a short overview highlighting the key features.

1.The average number of security issues released every quarter keeps growing and exceeds 200.

On 17th of January, Oracle released a near-record-breaking January set of security patches consisting of 270 fixes (the maximum number of updates saw the light in July, 2016, and totals 276).

There is a notable trend of the growing volume of Oracle’s CPUs. The average number of fixes for 2015 was 153 and for 2016 – 227. For the first time, the number of the patches exceeded a 200-mark in January 2015. Nowadays, over 200-patch volume seems to have become usual.

The reason may lie in the fact that Oracle’s enterprise software became the focus of repeated attacks, Oracle states.

2.The focus has shifted from Database and Java SE to critical business applications.

This quarter, more than 42% of the patches (namely, 121) address vulnerabilities in Oracle E-Business Suite (Oracle’s main business software developed), which is a record-breaking number of patches released for a single product. To make matter worse, 97% of them may be remotely exploitable without authentication.

We have been engaged in Oracle Business applications research since 2008 and the security of EBS, JDE, and PeopleSoft applications was always on our radar. However, these products attracted wide attention only 2 years ago when interns of ERPScan discovered multiple vulnerabilities in Oracle EBS, which was covered by the largest media. It resulted in the skyrocketing number of the identified and closed vulnerabilities in the solution, which reached its peak this quarter.

The situation reminds the state of SAP security several years ago. In 2009, there were a few dozens of bugs, in 2010 as SAP security was in the spotlight, the number of closed issues totaled some 800.

Nonetheless, the matter is much broader than just SAP and EBS security. There are dozens of other business applications used in different industries that are waiting for becoming a new hot topic.

3.The patch update closes 17 critical vulnerabilities

Oracle provides Risk Matrices and associated documentation describing the conditions required to leverage a vulnerability as well as a potential impact in case of successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS).

According to CVSS base score v.3, if the rate is more than 9.0 (the maximum is 10.0), it is considered critical. This CPU contains 16 such bugs, including one assessed 10.0. For 31 of the closed issues, all Impact Metrics (Confidentiality, Integrity and Availability) were rated high.

It is worthy of note that it is not a very difficult task to identify critical vulnerabilities in Oracle’s software. For example, this time, the issue (CVE-2017-3241) assessed 9.0 was identified by an intern (once again) at ERPScan. The issue DoS in Oracle OpenJDK. OpenJDK is an open-source implementation of the Java Platform, Standard Edition. The OpenJDK project is used by third-party developers, meaning that their custom application may include vulnerable code and be suspicious to the DoS vulnerability.