Oracle product vulnerabilities hit all-time high

The July 2018 Critical Patch Update (CPU) set of security fixes for Oracle products released overnight closes no fewer than 334 vulnerabilites, up from 251 in April and more than the highest number remedied so far, 308 in July 2017.

Of the 334 flaws, 61 are considered as critical with high Common Vulnerabilities Scoring System ratings of 9.0 to 10.0.

Oracle's Financial Services Applications receive the most amount of patches fixing 56 flaws, followed by Fusion Middleware (44) and Retail Applications and the MySQL database (31 respectively).

Attackers could use 21 of the Financial Services Applications to gain access to systems remotely, without having to enter user credentials.

As with past critical updates, Oracle said it continues to receive reports of successful attacks on customers who have not applied available security patches.

Oracle is urging customers to use supported software and to apply the CPU fixes without delay. 

Security vendor ERPScan said it had reported 17 critical vulnerabilties to Oracle that are fixed in the July 2018 CPU.

These include serious flaws such as remote command execution in Oracle MapViewer (CVSS 9.8), privilege escalation in Oracle Middleware (CVSS 9.8) and a cross-scripting vulnerability in JD Edwards TETaskProperties maflet (CVSS 9.1) that can be used to hijack administrators' session data.

While Oracle credited 43 independent researchers and individuals working with companies such as Apple, Google, Trend Micro, GE and Secunia, it would not acknowledge vulnerabilities reported by ERPScan.

ERPScan said Oracle would not credit the security researchers' vulnerability reports because in June the United States government put the company on a sanctions list that prohibits Americans from engaging in any transactions with them.

The US Treasury designated ERPscan as a sanctioned entity in August 2016 on the basis it is a subsidiary of Digital Security.

The US government claims Digital Security has provided material and technological support to Russia's Federal Security Service (FSB), as part of a project to boost the agency's offensive cyber capabilities.

Founder and chief technology officer Alexander Polyakov called the US Treasury sanctions "unjust" and said ERPScan have nothing to do with the FSB or other government agencies worldwide.