Network Security, Vulnerability Management

Oracle patches 270 vulnerabilities, including 121 in E-Business Suite

Oracle Corporation released its quarterly Critical Patch Update (CPU) on Tuesday, announcing fixes for 270 vulnerabilities.

The Redwood Shores, Calif.-based technology giant resolved flaws in a variety of product families including Oracle Database Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Industry Applications, Oracle Fusion Middleware, Oracle Sun Products, Oracle Java SE and Oracle MySQL.

Sixteen of the fixed vulnerabilities were listed as critical based on assessments using the Common Vulnerability Scoring System (CVSS), according to an analysis by ERPScan. One of them, a vulnerability in the Primavera P6 Enterprise Project Portfolio Management software, was assigned the maximum score of 10.0. Officially designated CVE-2017-3324, this flaw can be exploited by unauthenticated attackers with network access via HTTP in order to create, delete, modify or access data or cause a partial denial of service.

A total of 31 flaws scored as “high risk” in all three of CVSS' impact metrics – confidentiality, integrity and availability.

Oracle's CPU contains 121 new security fixes for the Oracle E-Business Suite alone – 118 of which may be remotely exploitable without authentication. “The focus has shifted from Database and Java SE to critical business applications...” reads the ERPScan blog post.

"This CPU is special because the number of vulnerabilities fixed sets a new record for the amount of vulnerabilities fixed in a single CPU for Business Critical Applications," states a blog post by Matias Mevied, Oracle security specialist at ERP and business application security company Onapsis. (It is not, however, the most vulnerabilities ever reported by Oracle in one update.)

"With the growing amount of researchers reporting security weaknesses to Oracle, it is a great sign of the company's flexibility and willingness to work with these teams to solve as many vulnerabilities as they do."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.