Oracle issued its quarterly update, the July 2017 Critical Patch Update (CPU), that addresses 308 security vulnerabilities, 30 of them are rated as critical.

This July 2017 Critical Patch Update (CPU) addressed security vulnerabilities in 22 Oracle products, including Oracle Database Server, Oracle Enterprise Manager, Oracle Fusion Middleware, Oracle Hyperion, Oracle E-Business Suite, Oracle Industry Applications (Communications, Retail, and Hospitality), Oracle Primavera, Oracle Sun Products, Oracle Java SE, and Oracle MySQL.

27 out of 308 vulnerabilities addressed by Oracle were classified as critical flaws, they were rated with a CVSS score between 9.0 and 10.0, only one bug was rated 10. More than half of the issues addressed by the security patched can be exploited remotely without authentication.

One of the issues is a remote privilege escalation flaw tracked as CVE-2017-3632 in the Solaris CDE Calendar component. Other Solaris vulnerabilities could be exploited to power DDoS attacks or to allow unauthorized data alterations.

The Oracle Security update also addressed ten critical vulnerabilities in Java SE, nine of them rated 9.6. According to Oracle, 28 of 32 Java flaws “may be remotely exploitable without authentication”.

The CPU addressed 30 vulnerabilities in Oracle MySQL, 9 of them are remotely exploitable.

Experts are particularly concerned for about 30 vulnerabilities affecting PeopleSoft, 20 of them can be exploited over the network without user credentials.

The updates also fixed a critical flaw in Oracle WebLogic rated 10 and tracked as CVE-2017-10137 which could be exploited by hackers to elevate privileges.

One of the most severe issued in the E-Business Suite was an Information Disclosure flaw tracked as CVE-2017-10244. The issued can be exploited by an attacker “to exfiltrate sensitive business data without requiring a valid user account in the system,”

“This vulnerability is especially critical as an attacker would only need a web browser and network access to the EBS system to perform it. Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start. Even systems in DMZ mode do not ensure these systems are not vulnerable,” said Juan Perez-Etchegoyen, Onapsis CTO.

The huge number of vulnerabilities addressed by Oracle in the July 2017 Critical Patch Update (CPU) demonstrates how large is our surface of attack. Each flaw could be potentially exploited by attackers to break into one of the Oracle solutions.

Apply the security updates as soon as possible.

Pierluigi Paganini

(Security Affairs – July 2017 Critical Patch Update (CPU),Oracle)