Network Security, Patch/Configuration Management, Vulnerability Management

Oracle patches 308 bugs, including high-risk arbitrary download flaw in E-Business Suite

Oracle Corporation issued a critical patch update for July 2017, fixing 308 vulnerabilities across its product line, the company announced in a security advisory.

The security fixes address multiple vulnerabilities in many different product categories, including: Database, Fusion Middleware, Enterprise Manager, E-Business suite, Office Supply Chain, PeopleSoft, Siebel, Oracle Commerce, iLearning, Fusion Applications, Oracle Communications, Oracle Enterprise, Policy Automation, Primavera, Java SE, Oracle and Sun Systems Products Suite, Linux and Virtualization, MySQL Product Suite, Support Tools, and solutions for the finances services, retail, and hospitality industries.

One of the addressed bugs was a high-risk arbitrary documents download vulnerability in the E-Business Suite. Officially designated CVE-2017-10244, the flaw was discovered by Juan Perez-Etchegoyen, CTO of Onapsis. According to an Onapsis press release, the flaw, if exploited could attackers with network access to the EBS system to retrieve all of its stored in its database, "resulting in a potentially severe information and data loss situation as well as costly compliance violations..."

E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are vulnerable to the flaw, reported Onapsis.

"Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start," said Perez-Etchegoyen, in the release. "While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.