Skip to main content

Oracles First Critical Patch Update of 2017 Identifies 270 flaws

Oracle’s Critical Patch Update (CPU) is a scheduled quarterly release designed to close holes in the security of many of Oracle’s product lines. The latest release offers fixes for over 270 flaws throughout Oracle’s various product lines.
Threat ID:
CC-1120
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Published:
26 January 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Oracle’s Critical Patch Update (CPU) is a scheduled quarterly release designed to close holes in the security of many of Oracle’s product lines. The latest release offers fixes for over 270 flaws throughout Oracle’s various product lines.

Threat details

In total, the update includes a comparably higher number of vulnerabilities which allow attacks to be carried out by a remote unauthenticated attacker. 40% of the identified flaws are classed as being remotely exploitable.

Notable products featured in the list of patches include Java SE and Fusion Middleware which both contain 16 remotely exploitable vulnerabilities.

Another 118 remotely exploitable vulnerabilities are identified in Oracle’s E-Business Suite. The E-Business Suite is marketed as a full set of business applications designed to support activities including asset tracking, financial management, product lifecycle management and many other areas.

The highest severity vulnerability of the update was issued to another product found within Primavera, Oracle’s cloud based product management and collaboration package. This vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 10. Details of this vulnerability are scarce so as not to facilitate exploit development but the flaw is labelled as ‘easily exploitable’ and offers an attacker the ability to create, modify and delete critical business data.

Specific details of the Oracle Critical Patch Update Advisory - January 2017 can be found here.

Remediation steps

Type Step
  • Ensure patches are applied in a timely manner with prioritisation performed based on availability and severity.
  • Review application availability to untrusted networks especially where management or portal access is made available across the internet and restrict this access wherever possible.

Last edited: 17 February 2020 11:36 am