Oracle issues 270 critical patches

By on
Oracle issues 270 critical patches

E-Business Suite the most vulnerable.

Oracle has released a large number of critical security patches for the first month of the year, with 121 updates alone for its E-Business Suite (EBS).

Its critical patch update (CPU) for January 2017 addresses a total of 270 vulnerabilities across Oracle's product portfolio.

According to security vendor ERPscan, 97 percent - or 118 vulnerabilites in EBS - are remotely exploitable without any authentication.

"A succesful attack against Oracle EBS allows an attacker to steal and manipulate different [types of] business-critical information, depending on the modules installed in an organisation," ERPscan said.

Of the vulnerabilities patched in the January 2017 CPU, 16 are rated as critical with a common vulnerability scoring system (CVSS) v3.0 rating of 9.0 or more.

One remotely exploitable flaw that doesn't require authentication or user interaction - identified as CVE-2017-3324 - has the highest possible 10 out of 10 CVSS score. It affects Oracle's Primavera P6 Enterprise Project Portfolio Management versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.

Just 17 patches for Java

Whereas Oracle EBS vulnerabilities outweigh others in the latest update bundle, the company's Java application framework - long criticised as insecure - saw comparatively few patches

Java SE, Jave SE Embedded, and JRockit received 17 patches for vulnerabilites that are in all cases remotely exploitable without authentication. 

Three of these - CVEs 2017-3289, 2017-3272, 2017-3241 - are rated as critical, with CVSS v3.0 scores of over 9.0.

The most serious flaw in Java - CVE-2017-3289 - affects the Hotspot compiler. Oracle said it applies to Java client deployments typically running sandboxed Java Web Start applications, or Java applets that load and run untrusted code. 

Java server deployments that run trusted code only are not affected by CVE-2017-3289, Oracle said.

The January 2017 CPU is the fourth collection with more than 200 patches in a year. Oracle released a CPU with 254 patches in October, 276 in the July 2016 CPU, and 248 in January last year, marking a steadily rising trend of vulnerabilites discovered over the past few years.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ebusiness suite java oracle security
In Partnership With

Most Read Articles

Vodafone makes aggressive play for 100Mbps NBN users

Vodafone makes aggressive play for 100Mbps NBN users
Macquarie Group set to enter mobile market

Macquarie Group set to enter mobile market
Wipro hacked, internal systems used to attack customers: report

Wipro hacked, internal systems used to attack customers: report
Photos: Inside Downer's "trains with brains" depot

Photos: Inside Downer's "trains with brains" depot
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Stop Parasites on your Network with Sophos
Stop Parasites on your Network with Sophos
Stop your Oracle database slowing down your business
Stop your Oracle database slowing down your business
How Macquarie University has prepared for fire and flood
How Macquarie University has prepared for fire and flood
Guide to Fully-Composable Software-Defined Private Cloud
Guide to Fully-Composable Software-Defined Private Cloud
Is slow data silently killing your business? Here's why you should care.
Is slow data silently killing your business? Here's why you should care.

Events

Log In

Username / Email:
Password:
  |  Forgot your password?