Oracle scolds customers for not patching and getting pwned

Oracle has chided customers for failing to apply patches to its products in a timely manner and therefore falling victim to attackers.

The enterprise IT vendor today said it continued to "periodically receive reports" of attempts by attackers to exploit vulnerabilities that it had already released fixes for.

It said the attackers were occasionally successful because the targeted Oracle customers had failed to apply available patches.

"Oracle therefore strongly recommends that customers remain on actively-supported versions and apply critical patch update fixes without delay," the company said.

It made its comments as part of an advisory about its critical patch update for October 2017.

This quarter's collection of security patches includes 252 fixes. The figure is down from the 308 patches Oracle released in July and the 300 that were provided in April, but is higher than January's count of 209.

However the October collection contains a high number of remote code execution flaws that don't require user credentials to exploit.

The RCEs were found in the likes of Oracle Siebel CRM, PeopleSoft, Fusion Middleware, E-Business Suite, JD Edwards and MySQL.

This month's patch update also fixes two critical flaws in Oracle's Java application development framework and code runtime, within the Hotspot and Remote Method Invocation components.

Both can be exploited remotely to run arbitrary code without user authentication on vulnerable systems.

Security vendor ERPscan analysed the October 2017 bundle and singled out three critical vulnerabilites that had earned the full 10 out of 10 common vulnerability scoring system (CVSS) rating.

The three flaws were found in Oracle's Hospitality Reporting and Analytics software and have been labelled priority fixes.

Oracle's Siebel Apps - Field Service also has a 10 CVSS-rated flaw that can be exploited to completely take over the software.

ERPscan founder and chief technical officer Alex Polyakov said the October patch update also contains "an alarming number of PeopleSoft fixes". 

Of the 23 PeopleSoft vulnerabilities in the bundle, 13 can be exploited remotely over networks without entering user credentials, Polyakov said.

“Over 1000 PeopleSoft systems are discoverable on the internet simply by Google or Shodan.io scanning, therefore putting organisations at risk because of the recent vulnerabilities," he said.