Pierluigi Paganini October 19, 2017

Oracle released the October 2017 Critical Patch Update (CPU) that addresses a total of 252 security vulnerabilities that affect multiple products.

Most of the vulnerabilities fixed by Oracle could be remotely exploitable without authentication.

This is the last Oracle Critical Patch Update of 2017, this year the tech giant already resolved 1119 vulnerabilities, or 22% more than in 2016.

The largest number of fixed vulnerabilities was affecting Fusion Middleware (40 vulnerabilities, 26 remotely exploitable without authentication), Hospitality Applications (37), E-Business Suite (26), MySQL (25), PeopleSoft Products (23), Communications Applications (23), and Java SE (22).

182 of the 252 vulnerabilities addressed by this October 2017 Critical Patch Update affect business-critical applications, including Sun Systems Products Suite (10 vulnerabilities), Retail Applications (9), Siebel CRM (8), Supply Chain Products Suite (7), Virtualization (6), Database Server (6), Hyperion (4), JD Edwards Products (2), Financial Services Applications (2), Health Sciences Applications (1), Construction and Engineering Suite (1), and Enterprise Manager Grid Control (1).

The most critical vulnerabilities affect Hospitality Reporting and Analytics, Siebel Apps, and Hospitality Cruise AffairWhere, they were received a CVSS Base Scores of 10.0 or 9.9. An attacker can exploit these flaws to take over vulnerable applications or to trigger a DoS condition.

Two vulnerabilities in Oracle Hospitality Reporting and Analytics were assessed with the maximum CVSS score of 10.0. Both flaws were exploitable by an unauthentic attacker over HTTP to access all of the reporting and analytics data running on the vulnerable system.

The October 2017 Critical Patch Update also addressed a critical vulnerability in PeopleSoft core engine tracked as CVE-2017-10366. Attackers can trigger the flaw to gain remote code execution on a server running PeopleSoft software.

“This vulnerability can be exploited by sending a HTTP request to the PeopleSoft service with a serialized JAVA object,” said Alexander Polyakov, CTO at ERPScan. “After unserialization, it can run any command on the server.

“Because this vulnerability was found in HTTP service it can be easily available via the internet if company exposes their PeopleSoft system to the Internet,”

The experts at ERPscan who queried Shodan search engine for vulnerable PeopleSoft systems discovered more than 1,000 installations exposed on the internet, including more than 200 belonging to government agencies and universities in the U.S.

9 Cross Site Scripting (XSS) vulnerabilities were discovered by security firm ERPscan, all of them with a CVSS base score of 8.2. The researchers explained that attacker could exploit these flaws to steal cookies or perform “session riding” attacks.

For further details on the October 2017 Oracle Critical Patch Update let me suggest reading the excellent report published by ERPscan.

Pierluigi Paganini 

(Security Affairs – October 2017 Critical Patch Update, Oracle)

[adrotate banner=”5″]

[adrotate banner=”13″]