Oracle fixes 250 bugs for their products on Tuesday as part of their quarterly critical patch update.
Oracle Fusion Middleware (38), Oracle hospitality (37), Oracle MySQL (25) are some of the products with the most patch released.
JP Perez-Etchegoyen, CTO of Onapsis said that they identified three high-risk SQL injection vulnerabilities in Oracle E-Business Suite (EBS) and in which one of the vulnerabilities (CVE-2017-10332) is very easy to exploit.
In Oracle EBS versions 12.1 and 12.2 users are exposed to SQL injection vulnerabilities which could allow access to the attacker without any login credentials.
The attacker can change or modify data such as payment information, customer information or financial records.
Perez-Etchegoyen said that “These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it.”
Another highly critical vulnerability is found in Peoplesoft which can be used by the attacker to execute commands on the Peoplesoft server remotely and gain full access to its data.
The company said that “Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.”
In the 37 patches released for Oracle Hospitality Applications, three of the vulnerabilities (CVE-2017-10402, CVE-2017-10405, CVE-2017-10404) can be used by the attacker to access all the data and completely take over the application.
Oracle database server received six security patches in which two of the vulnerability can be remotely exploited without any authentication.
Java standard edition also got 22 security fixed in the Oracle’s quarterly released the critical update in which 90% can be exploited without any user authentication.
For more details regarding Oracle’s critical patch update released visit here