October 2017 Oracle Critical Patch Update addresses 252 Vulnerabilities

Haythem Elmir
0 1
Read Time2 Minute, 17 Second

Oracle released the October 2017 Critical Patch Update (CPU) that addresses a total of 252 security vulnerabilities that affect multiple products.

Most of the vulnerabilities fixed by Oracle could be remotely exploitable without authentication.

This is the last Oracle Critical Patch Update of 2017, this year the tech giant already resolved 1119 vulnerabilities, or 22% more than in 2016.

The largest number of fixed vulnerabilities was affecting Fusion Middleware (40 vulnerabilities, 26 remotely exploitable without authentication), Hospitality Applications (37), E-Business Suite (26), MySQL (25), PeopleSoft Products (23), Communications Applications (23), and Java SE (22).

182 of the 252 vulnerabilities addressed by this October 2017 Critical Patch Update affect business-critical applications, including Sun Systems Products Suite (10 vulnerabilities), Retail Applications (9), Siebel CRM (8), Supply Chain Products Suite (7), Virtualization (6), Database Server (6), Hyperion (4), JD Edwards Products (2), Financial Services Applications (2), Health Sciences Applications (1), Construction and Engineering Suite (1), and Enterprise Manager Grid Control (1).

The most critical vulnerabilities affect Hospitality Reporting and Analytics, Siebel Apps, and Hospitality Cruise AffairWhere, they were received a CVSS Base Scores of 10.0 or 9.9. An attacker can exploit these flaws to take over vulnerable applications or to trigger a DoS condition.

Two vulnerabilities in Oracle Hospitality Reporting and Analytics were assessed with the maximum CVSS score of 10.0. Both flaws were exploitable by an unauthentic attacker over HTTP to access all of the reporting and analytics data running on the vulnerable system.

The October 2017 Critical Patch Update also addressed a critical vulnerability in PeopleSoft core engine tracked as CVE-2017-10366. Attackers can trigger the flaw to gain remote code execution on a server running PeopleSoft software.

“This vulnerability can be exploited by sending a HTTP request to the PeopleSoft service with a serialized JAVA object,” said Alexander Polyakov, CTO at ERPScan. “After unserialization, it can run any command on the server.

“Because this vulnerability was found in HTTP service it can be easily available via the internet if company exposes their PeopleSoft system to the Internet,”

The experts at ERPscan who queried Shodan search engine for vulnerable PeopleSoft systems discovered more than 1,000 installations exposed on the internet, including more than 200 belonging to government agencies and universities in the U.S.

9 Cross Site Scripting (XSS) vulnerabilities were discovered by security firm ERPscan, all of them with a CVSS base score of 8.2. The researchers explained that attacker could exploit these flaws to steal cookies or perform “session riding” attacks.

For further details on the October 2017 Oracle Critical Patch Update let me suggest reading the excellent report published by ERPscan.

To read the original  article:

http://securityaffairs.co/wordpress/64490/hacking/october-2017-oracle-critical-patch-update.html

Happy
Happy
0 %
Sad
Sad
0 %
Excited
Excited
0 %
Sleepy
Sleepy
0 %
Angry
Angry
0 %
Surprise
Surprise
100 %

Average Rating

5 Star
0%
4 Star
0%
3 Star
0%
2 Star
0%
1 Star
0%

Laisser un commentaire

Next Post

Cyber espionage – China-Linked group leverages recently patched .NET Flaw

Security researchers at Proofpoint spotted a cyber espionage campaign conducted by a group previously linked to China. The hackers have been using a recently patched .NET vulnerability, tracked as CVE-2017-8759, in attacks aimed at organizations in the United States. “Proofpoint researchers are tracking an espionage actor targeting organizations and high-value […]