Oracle issues 270 critical patches

By on
Oracle issues 270 critical patches

E-Business Suite the most vulnerable.

Oracle has released a large number of critical security patches for the first month of the year, with 121 updates alone for its E-Business Suite (EBS).

Its critical patch update (CPU) for January 2017 addresses a total of 270 vulnerabilities across Oracle's product portfolio.

According to security vendor ERPscan, 97 percent - or 118 vulnerabilites in EBS - are remotely exploitable without any authentication.

"A succesful attack against Oracle EBS allows an attacker to steal and manipulate different [types of] business-critical information, depending on the modules installed in an organisation," ERPscan said.

Of the vulnerabilities patched in the January 2017 CPU, 16 are rated as critical with a common vulnerability scoring system (CVSS) v3.0 rating of 9.0 or more.

One remotely exploitable flaw that doesn't require authentication or user interaction - identified as CVE-2017-3324 - has the highest possible 10 out of 10 CVSS score. It affects Oracle's Primavera P6 Enterprise Project Portfolio Management versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.

Just 17 patches for Java

Whereas Oracle EBS vulnerabilities outweigh others in the latest update bundle, the company's Java application framework - long criticised as insecure - saw comparatively few patches

Java SE, Jave SE Embedded, and JRockit received 17 patches for vulnerabilites that are in all cases remotely exploitable without authentication. 

Three of these - CVEs 2017-3289, 2017-3272, 2017-3241 - are rated as critical, with CVSS v3.0 scores of over 9.0.

The most serious flaw in Java - CVE-2017-3289 - affects the Hotspot compiler. Oracle said it applies to Java client deployments typically running sandboxed Java Web Start applications, or Java applets that load and run untrusted code. 

Java server deployments that run trusted code only are not affected by CVE-2017-3289, Oracle said.

The January 2017 CPU is the fourth collection with more than 200 patches in a year. Oracle released a CPU with 254 patches in October, 276 in the July 2016 CPU, and 248 in January last year, marking a steadily rising trend of vulnerabilites discovered over the past few years.

Copyright © iTnews.com.au . All rights reserved.
Tags:
ebusiness suite java oracle security

Most Read Articles

Ransomware strikes Victorian speed cameras

Ransomware strikes Victorian speed cameras
NBN Co adds 50 new suburbs to FTTC rollout

NBN Co adds 50 new suburbs to FTTC rollout
Ombudsman stunned by Vic CIO's 'calculated nepotism'

Ombudsman stunned by Vic CIO's 'calculated nepotism'
First NBN FTTC areas unlikely to be able to order retail service

First NBN FTTC areas unlikely to be able to order retail service
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Optimising Enterprise Data Centres for the Cloud
Optimising Enterprise Data Centres for the Cloud
Growing companies have a growing interest in technology
Growing companies have a growing interest in technology
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
RSA NetWitness® Endpoint. Respond 3X Faster to Threats
Building platforms for future health and education
Building platforms for future health and education
Breach Level Index Report
Breach Level Index Report

Events

Log In

Username:
Password:
|  Forgot your password?