As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus is on SAP applications, we have been doing research on Oracle business applications as well to identify and report critical vulnerabilities. In this sense, Oracle is different from SAP in regards to the method and timing that security patches are released and available to end users.
In this post, I will perform an analysis of the Oracle April 2015 Critical Patch Update (AKA CPU). The goal of this, is to provide oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help customers better understand and prioritize the testing of vulnerabilities on these systems within their organization.
During April 2015, Oracle published 98 vulnerabilities affecting 43 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) in order to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.
41.8% of the total number of vulnerabilities fixed on the current CPU are vulnerabilities affecting the following business critical applications: Oracle Fusion Middleware, Supply Chain, PeopleSoft, E-Business Suite, Hyperion, Retail Applications, JD Edwards, Siebel CRM and Health Sciences Products.
On This month’s CPU, more than 41% of the vulnerabilities are affecting Business Critical Applications. It means that companies should take immediate actions to mitigate the risks implied by them.
The top 3 affected product groups are: “MySQL”, “Fusion Middleware” and “Java SE”. It Is important to take into account that Java is widely used and deployed on nearly every corporate environment and business application. There are tons of applications and websites that simply won’t work, unless you have Java installed, therefore you must have an updated version, to avoid risk exposure.
The following table shows the number of vulnerabilities published by product group, according to the Oracle April 2015 CPU: Continue reading