Oracle issues 270 critical patches

By on
Oracle issues 270 critical patches

E-Business Suite the most vulnerable.

Oracle has released a large number of critical security patches for the first month of the year, with 121 updates alone for its E-Business Suite (EBS).

Its critical patch update (CPU) for January 2017 addresses a total of 270 vulnerabilities across Oracle's product portfolio.

According to security vendor ERPscan, 97 percent - or 118 vulnerabilites in EBS - are remotely exploitable without any authentication.

"A succesful attack against Oracle EBS allows an attacker to steal and manipulate different [types of] business-critical information, depending on the modules installed in an organisation," ERPscan said.

Of the vulnerabilities patched in the January 2017 CPU, 16 are rated as critical with a common vulnerability scoring system (CVSS) v3.0 rating of 9.0 or more.

One remotely exploitable flaw that doesn't require authentication or user interaction - identified as CVE-2017-3324 - has the highest possible 10 out of 10 CVSS score. It affects Oracle's Primavera P6 Enterprise Project Portfolio Management versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, and 16.2.

Just 17 patches for Java

Whereas Oracle EBS vulnerabilities outweigh others in the latest update bundle, the company's Java application framework - long criticised as insecure - saw comparatively few patches

Java SE, Jave SE Embedded, and JRockit received 17 patches for vulnerabilites that are in all cases remotely exploitable without authentication. 

Three of these - CVEs 2017-3289, 2017-3272, 2017-3241 - are rated as critical, with CVSS v3.0 scores of over 9.0.

The most serious flaw in Java - CVE-2017-3289 - affects the Hotspot compiler. Oracle said it applies to Java client deployments typically running sandboxed Java Web Start applications, or Java applets that load and run untrusted code. 

Java server deployments that run trusted code only are not affected by CVE-2017-3289, Oracle said.

The January 2017 CPU is the fourth collection with more than 200 patches in a year. Oracle released a CPU with 254 patches in October, 276 in the July 2016 CPU, and 248 in January last year, marking a steadily rising trend of vulnerabilites discovered over the past few years.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
ebusiness suite java oracle security
In Partnership With

Most Read Articles

ASD returns fire over Microsoft removal claims

ASD returns fire over Microsoft removal claims
NBN speed standards emerge at top tiers

NBN speed standards emerge at top tiers
DTA calls out contractors and consultants as barriers to change

DTA calls out contractors and consultants as barriers to change
First day deluge for My Health Record opt-out

First day deluge for My Health Record opt-out
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Log In

Username / Email:
Password:
  |  Forgot your password?