Oracle issues 270 critical patches

By on
Oracle issues 270 critical patches

E-Business Suite the most vulnerable.

Oracle has released a large number of critical security patches for the first month of the year, with 121 updates alone for its E-Business Suite (EBS).

Its critical patch update (CPU) for January 2017 addresses a total of 270 vulnerabilities across Oracle's product portfolio.

According to security vendor ERPscan, 97 percent - or 118 vulnerabilites in EBS - are remotely exploitable without any authentication.

"A succesful attack against Oracle EBS allows an attacker to steal and manipulate different [types of] business-critical information, depending on the modules installed in an organisation," ERPscan said.

Of the vulnerabilities patched in the January 2017 CPU, 16 are rated as critical with a common vulnerability scoring system (CVSS) v3.0 rating of 9.0 or more.

One remotely exploitable flaw that doesn't require authentication or user interaction - identified as CVE-2017-3324 - has the highest possible 10 out of 10 CVSS score. It affects Oracle's Primavera P6 Enterprise Project Portfolio Management versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.

Just 17 patches for Java

Whereas Oracle EBS vulnerabilities outweigh others in the latest update bundle, the company's Java application framework - long criticised as insecure - saw comparatively few patches

Java SE, Jave SE Embedded, and JRockit received 17 patches for vulnerabilites that are in all cases remotely exploitable without authentication. 

Three of these - CVEs 2017-3289, 2017-3272, 2017-3241 - are rated as critical, with CVSS v3.0 scores of over 9.0.

The most serious flaw in Java - CVE-2017-3289 - affects the Hotspot compiler. Oracle said it applies to Java client deployments typically running sandboxed Java Web Start applications, or Java applets that load and run untrusted code. 

Java server deployments that run trusted code only are not affected by CVE-2017-3289, Oracle said.

The January 2017 CPU is the fourth collection with more than 200 patches in a year. Oracle released a CPU with 254 patches in October, 276 in the July 2016 CPU, and 248 in January last year, marking a steadily rising trend of vulnerabilites discovered over the past few years.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ebusiness suite java oracle security
In Partnership With

Most Read Articles

Australia will now headhunt tech talent for permanent residency

Australia will now headhunt tech talent for permanent residency
NBN Co's FTTC and HFC build costs rise again

NBN Co's FTTC and HFC build costs rise again
Optus shifts 100k premises out of NBN 12Mbps in three months

Optus shifts 100k premises out of NBN 12Mbps in three months
Morrison vows to tame Centrelink IT "beast"

Morrison vows to tame Centrelink IT "beast"
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Is your AWS framework well-architected?
Is your AWS framework well-architected?
Why you should reassess your cybersecurity posture
Why you should reassess your cybersecurity posture
How will you manage the cloud data deluge?
How will you manage the cloud data deluge?
Follow these steps to prevent targeted attacks
Follow these steps to prevent targeted attacks
Your mobile devices may not be secure – learn how to fix that
Your mobile devices may not be secure – learn how to fix that

Events

Log In

Username / Email:
Password:
  |  Forgot your password?