As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the October 2017 quarterly patch is significant and high-risk. 47 of the past 52 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.
For this quarter, there are 3 SQL injection vulnerabilities, 16 cross-site scripting (XSS) vulnerabilities, 3 information disclosures, and 4 other types of vulnerabilities fixed. Most important is that 25 of the 26 vulnerabilities are remotely exploitable without authentication.
Externally facing Oracle E-Business Suite environments (DMZ) running iStore or iSupport should take immediate action to mitigate the two vulnerabilities impacting iStore and four vulnerabilities impacting iSupport (and Knowledge Management). These web pages are allowed by the URL Firewall if the iStore or iSupport modules are enabled. All six are cross-site scripting (XSS) vulnerabilities, which requires interaction with the end-user such as clicking a link but allows for the attacker to hijack the end-users session.
October 2017 Recommendations
As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk. Corrective action should be taken immediately for all Oracle E-Business Suite environments. The most at risk implementations are those running Internet facing self-service modules (i.e., iStore, iSupplier, iSupport, etc.) and Integrigy rates this CPU as a critical risk due to the number of SQL injection vulnerabilities that can be remotely exploited without authentication. These implementations should (1) apply the CPU as soon as possible or use a virtual patching solution such as AppDefend and (2) ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.
Most Oracle E-Business Suite environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrigy's AppDefend, an application firewall for the Oracle E-Business Suite. AppDefend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.
Oracle E-Business Suite 11i
As of April 2016, the 11i CPU patches are only available for Oracle customers with Tier 1 Support. Integrigy’s analysis of the October 2017 CPU shows at least 18 of the 26 vulnerabilities are also exploitable in 11i. 11i environments without Tier 1 Support should implement a web application firewall and virtual patching for Oracle E-Business in order to remediate large number of unpatched security vulnerabilities. As of October 2017, an unsupported Oracle E-Business Suite 11i environment will have approximately 170 unpatched vulnerabilities – a number of which are high-risk SQL injection security bugs.
11i Tier 1 Support has been extended through December 2018, thus October 2018 will be the final CPU for Oracle E-Business Suite 11i.
Oracle E-Business Suite 12.0
CPU support for Oracle E-Business Suite 12.0 ended January 2015 and there are no security fixes for this release. Integrigy’s analysis of the CPU shows at least 22 of the 26 vulnerabilities are exploitable in 12.0. In order to protect your application environment, the Integrigy AppDefend application firewall for Oracle E-Business Suite provides virtual patching for all these exploitable web security vulnerabilities.