Oracle patch july 2018 - Free Download
Today Oracle has released its quarterly patch update for July It fixes a record number of vulnerabilities. The graph above shows that the vendor released yet another record-breaking batch of patches. It is safe to say that there is a constant trend of growing set of Oracle CPU.
The average number of security patches has tripled in the last 4 years from to The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues. As seen from the table and illustrated in a pie chart, Financial Services Applications lead by the number of the closed issues. The fact that Oracle has , applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.
As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business critical information, depending on modules installed in an organization.
As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.
Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. This aims to help Oracle customers to fix the most critical issues first. It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists.
Subscribe me to your mailing list. The main highlights are as follows: The average number of security issues released every quarter keeps growing this year. CPU for July contains vulnerabilities in business-critical applications. The most vulnerable application is Oracle Financial Services Applications totaling The criticality of issues is also alarming since 21 of them can be exploited over the network without entering user credentials.
Oracle vulnerabilities by application type The patch updates touch a wide range of products. This critical patch update contains 14 fixes for Oracle EBS. The highest CVSS score is 8. The details of the identified issues are provided below: Directory traversal vulnerability enables an attacker to upload some jsp file in apps folder and execute commands escalate privileges. SupportAssistant component in JD Edwards EnterpriseOne does not perform necessary authorization checks for critical function, leading to the escalation of privileges.
An attacker can send GET request [http: SupportAssistant]] and receive all possible methods. XXE vulnerabilities allow reading files from the server or launch a DoS attack. Using jsp file uploading an attacker can upload some jsp file in apps folder and execute certain commands escalate privileges. Attackers can use a special HTTP request and hijack session data of administrators of the web resource.
This security vulnerability allows attackers to traverse the file system to access files that are outside of the restricted directory. With the help of SQL injection vulnerabilities, an attacker extracts information from the local database using insecure SQL requests.
Default password in integrationGateway. With the help of Directory traversal vulnerabilities an attacker uploads jsp file and gets a webshell. This vulnerability allows remote attackers to expose internal memory of JSH processes. It leads to exposing critical information such as password, tokens, etc. The most critical Oracle vulnerabilities closed by CPU for July Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack.
Supported versions that are affected are Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Spatial jackson-databind. Successful attacks of this vulnerability can result in takeover of Oracle Spatial jackson-databind.
DB specific extensions jackson-databind. The supported version that is affected is All. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Global Lifecycle Management OPatchAuto. Successful attacks of this vulnerability can result in takeover of Oracle Fusion Middleware MapViewer.
WLS — Web Services. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server. The supported version that is affected is 9. Securing Oracle applications It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Do you want more? Post by Research Team. Subscribe me to your mailing list not more than once a week.
We respect your privacy.
Corporate Security Blog
With the help of Directory traversal vulnerabilities an attacker uploads jsp file and gets a webshell. Guidelines for reporting security vulnerabilities This page contains the following sections: For information related to these issues, please refer to: Affected Products and Patch Information Security vulnerabilities addressed by this Critical Patch Update affect the products listed below. Oracle Financial Services Profitability Management. Five 5 new critical Java vulnerabilities were also fixed in the WebLogic Server, all of which are remotely exploitable without authentication.
Analyzing Oracle Security – Oracle Critical Patch Update for July 2018
For more information, see Oracle vulnerability disclosure policies. Oracle Retail Service Layer, versions A CVE shown in italics indicates that this vulnerability impacts a different product, but also has impact on the product where the italicized CVE is listed. For information related to these issues, please refer to:
Guidance on Oracle July 2018 Critical Patch Update
Oracle Communications Network Charging and Control, versions 4. Oracle Banking Payments, versions People are acknowledged for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates. Oracle Hospitality Gift and Loyalty. Half of the Java SE flaws affect server deployments and half affect client-side deployments. The product area is shown in the Patch Availability Document column. Oracle Linux Bulletin - October An English text version of the risk matrices provided in this document is here. Oracle Fusion Middleware products include Oracle Database components that are affected by the vulnerabilities listed in the Oracle Database section. Oracle releases security advisories for Oracle Linux as patches become available. This Critical Patch Update contains new security fixes across the product families listed below. Executive Summary and Analysis. Customers requiring additional information that is not addressed in the Critical Patch Update Advisory may obtain additional information as follows:. Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Critical Patch Update.