Oracle Critical Patch Update (CPU April 2015)

As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus is on SAP applications, we have been doing research on Oracle business applications as well to identify and report critical vulnerabilities. In this sense, Oracle is different from SAP in regards to the method and timing that security patches are released and available to end users.

In this post, I will perform an analysis of the Oracle April 2015 Critical Patch Update (AKA CPU). The goal of this, is to provide oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help customers better understand and prioritize the testing of vulnerabilities on these systems within their organization.

During April 2015, Oracle published 98 vulnerabilities affecting 43 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) in order to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.

41.8% of the total number of vulnerabilities fixed on the current CPU are vulnerabilities affecting the following business critical applications: Oracle Fusion Middleware, Supply Chain, PeopleSoft, E-Business Suite, Hyperion, Retail Applications, JD Edwards, Siebel CRM and Health Sciences Products.

On This month’s CPU, more than 41% of the vulnerabilities are affecting Business Critical  Applications. It means that companies should take immediate actions to mitigate the risks implied by them.

The top 3 affected product groups are: “MySQL”, “Fusion Middleware” and “Java SE”. It Is important to take into account that Java is widely used and deployed on nearly every corporate environment and business application. There are tons of applications and websites that simply won’t work, unless you have Java installed, therefore you must have an updated version, to avoid risk exposure.

The following table shows the number of vulnerabilities published by product group, according to the Oracle April 2015 CPU: Continue reading

Share Button

Assessing the security of SAP ecosystems: Access from the SAP Application Layer to the Database

In previous posts we performed security assessments on the Management Console.

For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion. Notice that you will have to download the Instant Client Package – Basic, and then download the Instant Client Package – SQL*Plus.

This way of performing arbitrary queries only works for SAP implementations with Oracle databases (which is the most common configuration in SAP Systems). As seen in a previous post, our sample SAP ecosystem has an Oracle database so we can perform this assessment. If there is an SAP system running on an Oracle database, an eventual attacker is most likely to succeed since it’s based on a default and mandatory trust relationship between the SAP System and the Oracle database.

Continue reading

Share Button