Oracle Corporation issued a critical patch update for July 2017, fixing 308 vulnerabilities across its product line, the company announced in a security advisory.
The security fixes address multiple vulnerabilities in many different product categories, including: Database, Fusion Middleware, Enterprise Manager, E-Business suite, Office Supply Chain, PeopleSoft, Siebel, Oracle Commerce, iLearning, Fusion Applications, Oracle Communications, Oracle Enterprise, Policy Automation, Primavera, Java SE, Oracle and Sun Systems Products Suite, Linux and Virtualization, MySQL Product Suite, Support Tools, and solutions for the finances services, retail, and hospitality industries.
One of the addressed bugs was a high-risk arbitrary documents download vulnerability in the E-Business Suite. Officially designated CVE-2017-10244, the flaw was discovered by Juan Perez-Etchegoyen, CTO of Onapsis. According to an Onapsis press release, the flaw, if exploited could attackers with network access to the EBS system to retrieve all of its stored in its database, "resulting in a potentially severe information and data loss situation as well as costly compliance violations..."
E-Business Suite versions 12.1.3, 12.2.3, 12.2.4, 12.2.5 and 12.2.6 are vulnerable to the flaw, reported Onapsis.
"Any number of critical documents could be stored in the system including invoices, purchase orders, HR information and design documents to start," said Perez-Etchegoyen, in the release. "While we would never scan to identify vulnerable systems, using free search engines we were able to identify that upwards of 1,000 EBS systems are currently connected to the internet, more than half of these being in the United States. These organizations need to patch immediately to mitigate this risk in their organization."