Oracle’s Security Update to Include the Fix for Serious Issues in E-Business Suite
It is expected that the latest security updates from oracle will include the fix for the misconfiguration problem in its e-business suite. This misconfiguration is capable of giving the hackers easy access to databases which contain sensitive business information.
David Litchfield, the famous database security expert discovered the issue in 2014 on a client’s system and he first thought of it as a backdoor left behind by the hacker.
“On investigation, it turned out that the ‘backdoor’ is part of a seeded installation!” he said Monday on social media. “I was flabbergasted. Still am.”
In a pre-announcement made by Oracle about its expected quarterly Critical Patch Update, Oracle said that 10 vulnerabilities will get fixed in E-Business Suite and six of them can be exploited remotely without the need for authentication.
According to the company,the highest score for the E-Business Suite vulnerabilities that will get patched by the update is 6.4 in the Common Vulnerability Scoring System (CVSS). This score is not bad when considering that the CVSS scale goes to 10.
However, the defect discovered by Litchfield is quite serious since, according to the researcher, this flaw allows attackers to carry out arbitrary SQL commands as SYS, the highest confidential account in the database. This is possible because the E-Business Suite allows INDEX privileges by default to the PUBLIC role on the DUAL database table, which is owned by SYS.
According to experts, if attackers can carry out the arbitrary SQL commands as SYS, they will be able to read everything in the database, including the sensitive business records stored by the CRM (customer relationship management) applications that are part of E-Business Suite.
The Oracle Critical Patch Update for January is expected to contain a total of 167 security fixes for vulnerabilities in hundreds of Oracle products and product versions.
Oracle has received specific reports about the malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply the Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes without delay.
A blog entry summarizing the content of the latest Critical Patch Update and other Oracle Software Security Assurance activities is available at https://blogs.oracle.com/security. This Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1.