Oracle Critical Patch Update (CPU April 2015)

As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus is on SAP applications, we have been doing research on Oracle business applications as well to identify and report critical vulnerabilities. In this sense, Oracle is different from SAP in regards to the method and timing that security patches are released and available to end users.

In this post, I will perform an analysis of the Oracle April 2015 Critical Patch Update (AKA CPU). The goal of this, is to provide oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help customers better understand and prioritize the testing of vulnerabilities on these systems within their organization.

During April 2015, Oracle published 98 vulnerabilities affecting 43 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) in order to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.

41.8% of the total number of vulnerabilities fixed on the current CPU are vulnerabilities affecting the following business critical applications: Oracle Fusion Middleware, Supply Chain, PeopleSoft, E-Business Suite, Hyperion, Retail Applications, JD Edwards, Siebel CRM and Health Sciences Products.

On This month’s CPU, more than 41% of the vulnerabilities are affecting Business Critical  Applications. It means that companies should take immediate actions to mitigate the risks implied by them.

The top 3 affected product groups are: “MySQL”, “Fusion Middleware” and “Java SE”. It Is important to take into account that Java is widely used and deployed on nearly every corporate environment and business application. There are tons of applications and websites that simply won’t work, unless you have Java installed, therefore you must have an updated version, to avoid risk exposure.

The following table shows the number of vulnerabilities published by product group, according to the Oracle April 2015 CPU: Continue reading

Share Button

Oracle CPU – January 2015 Focus on Business Applications

As a company, Onapsis is focused on the security of business-critical applications such as SAP and Oracle. While our focus has been on SAP applications, we have also been actively researching, identifying and reporting critical vulnerabilities facing Oracle business applications. In this sense, Oracle is different from SAP, specifically in the way and timing that security patches are released and available to end users.

In this post, I will go through an analysis of Oracle’s January 2015 Critical Patch Update (aka CPU). The goal is to provide Oracle customers with detailed information about the newly released vulnerabilities affecting their business critical applications, and to help them to better understand and prioritize the testing for vulnerabilities on these systems within their organization.

In January 2015, Oracle published 169 vulnerabilities affecting 48 different Oracle products. Oracle uses the Common Vulnerabilities and Exposures standard (CVE) to uniquely identify the vulnerability and Common Vulnerability Scoring System V2 (CVSS) to measure the risk implied by the vulnerability in terms of different aspects such as exploitability, complexity and impact, to name a few.

An important aspect of this month’s CPU is the fact that more than 59% of these vulnerabilities are affecting business-critical applications. This means that companies have to be aware of these vulnerabilities and take immediate actions to mitigate the risks implied by them.
Continue reading

Share Button

Weakest link safety: Oracle Fail Safe Backup

Intro

We all know it, it is nothing new, the level of security in an organization is equivalent to the weaklist link of the chain.

On this blog post we are going to study how an attacker can compromise an SAP system by taking advantage of a simple database vulnerability.

To give more context about this vulnerability, first we need to start defining what is “Oracle Fail Safe Backup” and what is its relationship with SAP.

According to Oracle’s site:

Oracle Fail Safe it is a high availability software, integrated with Microsoft Failover Cluster, that provides a fast, easy, and accurate way to configure and verify Windows clusters and to automatically fail over Oracle databases and applications.

In the event of a system failure, Oracle Fail Safe works with Microsoft Failover Cluster to restart Oracle databases and applications on a surviving cluster node.

Continue reading

Share Button

Assessing the security of SAP ecosystems: Access from the SAP Application Layer to the Database

In previous posts we performed security assessments on the Management Console.

For the upcoming assessments we will need a tool to connect with the underlying databases. SQL*Plus is an Oracle utility with a basic command-line interface which allows us to connect with Oracle databases and execute queries in a simple fashion. Notice that you will have to download the Instant Client Package – Basic, and then download the Instant Client Package – SQL*Plus.

This way of performing arbitrary queries only works for SAP implementations with Oracle databases (which is the most common configuration in SAP Systems). As seen in a previous post, our sample SAP ecosystem has an Oracle database so we can perform this assessment. If there is an SAP system running on an Oracle database, an eventual attacker is most likely to succeed since it’s based on a default and mandatory trust relationship between the SAP System and the Oracle database.

Continue reading

Share Button