Login

Register

Login

Register

Record Oracle Patch Update: 433 Vulnerabilities Need Tackling | #exploits | #cybersecurity | #informationsecurity


FavoriteLoadingAdd to favorites

Business leaders be warned: some serious patching is needed

Oracle users, steel yourselves: a mammoth quarterly Oracle patch update landing tomorrow addresses a record 433 new security vulnerabilities, many of which affect multiple products. Hundreds of them are remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.

“Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update patches as soon as possible”, the company said in a boilerplate announcement. Users may want to take this one seriously.

CVSS scores for the security bugs include some rated the maximum 10.0, meaning they are easy to exploit and give an attacker extensive privileges, and numerous 9.8-rated vulnerabilities affecting everything from MySQL through to a huge 38 new security patches for Oracle Financial Services Applications, more than half of which are — worryingly — remotely exploitable without authentication, Oracle said.

The Oracle patch update comes as part of its standard quarterly cycle. It is the highest number of patches pushed out on a single day by the software giant that Computer Business Review has seen, tracking back to January 2015.

Segregation of Duties, access controls, web application firewalls and other traditional security products are not capable of preventing or detecting unauthenticated exploits on the BigDebIT vulnerabilities because they do not require a user name or password.

Oracle Patch Update: What to Look Out For

The patches land tomorrow (July 14, 2020). Here are where the critical vulnerabilities sit, however, as excerpted from Oracle’s pre-release guidance.

Oracle Communications Applications

  • Security patches: 58
  • Maximum CVSS score: 10.0
  • Remotely exploitable without authentication: 45

Oracle Construction and Engineering

  • Security patches: 20
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 15

Oracle E-Business Suite

  • Security patches: 29
  • Maximum CVSS score: 9.1
  • Remotely exploitable without authentication: 23

Oracle Enterprise Manager.

  • Security patches: 14
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 10

Oracle Financial Services Applications. 

  • Security patches: 38
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 26

Oracle Fusion Middleware.

  • Security patches: 53
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 49

Oracle JD Edwards.

  • Security patches: 6
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle MySQL.

  • Security patches: 40
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 6

Oracle Retail Applications.

  • Security patches: 39
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 34

Oracle Siebel CRM.

  • Security patches: 5
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 5

Oracle Supply Chain.

  • Security patches: 22
  • Maximum CVSS score: 9.8
  • Remotely exploitable without authentication: 18

Oracle Database Server.

  • Security patches: 20
  • Maximum CVSS score: 8.8
  • Remotely exploitable without authentication: 1

Oracle GoldenGate 

  • Security patches: 3
  • Maximum CVSS score: 9.6
  • Remotely exploitable without authentication: 1

While business leaders may be tempted to delay patching, persistently doing so is among the leading causes of cyber attacks. As the FBI warned last month, with an eye to US businesses (the same principle applies in the UK): “The public and private sectors could degrade some foreign cyber threats to U.S. interests through an increased effort to patch their systems and implement programs to keep system patching up to date.”

For those noticing low levels of hype around Oracle vulnerabilities in general and assuming that exploits are too challenging, research published in June by security firm Onapsis showcased how two vulnerabilities (dubbed “BigDebIT“) with CVSS scores of 9.9 out of 10 in E-Business Suite – Oracle’s ERP software deployed at more than 21,000 companies — could be used by an unauthenticated hacker to perform an automated exploit on the General Ledger module. The now-patched bugs could be used to extract assets from a company (such as cash) and modify accounting tables.

See also: The Top 10 Most Exploited Vulnerabilities: Intel Agencies Urge “Concerted” Patching Campaign

 

 

_________________________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.





Source link
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Leave a Reply

Shqip Shqip አማርኛ አማርኛ العربية العربية English English Français Français Deutsch Deutsch Português Português Русский Русский Español Español

National Cyber Security Consulting App

 https://apps.apple.com/us/app/id1521390354

https://play.google.com/store/apps/details?id=nationalcybersecuritycom.wpapp


NATIONAL CYBER SECURITY RADIO
[spreaker type=player resource="show_id=4560538" width="100%" height="550px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]
HACKER FOR HIRE MURDERS
 [spreaker type=player resource="show_id=4569966" width="100%" height="350px" theme="light" playlist="show" playlist-continuous="true" autoplay="false" live-autoplay="false" chapters-image="true" episode-image-position="left" hide-logo="false" hide-likes="false" hide-comments="false" hide-sharing="false" hide-download="true"]

ALEXA “OPEN NATIONAL CYBER SECURITY RADIO”

National Cyber Security Radio (Podcast) is now available for Alexa.  If you don't have an Alexa device, you can download the Alexa App for free for Google and Apple devices.   

nationalcybersecurity.com

FREE
VIEW