This post covers Critical Patch Update (CPUs) for July 2018 for Oracle E-Business Suite. This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
If you are new to Oracle AppsDBA or already working as Apps DBA but on version 11i or R12.1 then I suggest you first go through below FREE videos from Oracle ACE, Author, and Oracle Apps Expert Atul Kumar
- [Video] Oracle Apps DBA (R12.2) Architecture
- [Video] Oracle Apps DBA (R12.2) Installation: FREE Training
- [Video] File System in Oracle E-Business Suite R12.2: Dual, APPL_TOP, INST_TOP, COMMON_TOP, FMW_HOME
- [Video] Oracle Apps DBA (R12.2) Services: Start/Stop
- [Video] Oracle Apps DBA (R12.2) Patching (ADOP): FREE Training
The Critical Patch Update for July 2018 was released on July 17th, 2018. Oracle strongly recommends applying the patches as soon as possible.
Oracle Critical Patch Update (CPUs) for July 2018 for Oracle E-Business Suite:
- 14 new security fixes for E-business Suite. 13 of these vulnerabilities may be remotely exploitable without authentication
- 3 new security fixes for the Oracle Database Server. 1 of these vulnerabilities may be remotely exploitable without authentication
- 1 new security fix for Oracle Global Lifecycle Management. This vulnerability is remotely exploitable without authentication
- 5 new security fix for Oracle Weblogic server, 4 of these critical vulnerabilities may be remotely exploitable. It is highly imperative that July 2018 CPU patches are applied on weblogic servers ASAP.
- 8 new security fixes for Oracle Java SE. All of these vulnerabilities may be remotely exploitable without authentication
As with almost all previous Oracle E-Business Suite Critical Patch Updates (CPU), the July 2018 quarterly patch is significant and high-risk. 51 of the past 55 quarterly patches are significant and high-risk as they fix one or more SQL injection vulnerabilities or other damaging security vulnerabilities in the web application of Oracle E-Business Suite. Despite the publicity, marketing, or naming of specific vulnerabilities, this quarter is no different than previous quarters in terms of risk and prioritization within your organization.
For this quarter, there are 10 cross-site scripting (XSS) vulnerabilities and 4 other types of vulnerabilities fixed. Most important is that 13 of the 14 vulnerabilities are remotely exploitable without authentication.
Externally facing Oracle E-Business Suite environments (DMZ) running iStore should take immediate action to mitigate the three vulnerabilities impacting iStore. These web pages are allowed by the URL Firewall if the iStore module is enabled. Two of the three are cross-site scripting (XSS) vulnerabilities, which requires interaction with the end-user such as clicking a link but allows for the attacker to hijack the end-users session.
July 2018 Recommendations
As with almost all Critical Patch Updates, the security vulnerabilities fixes are significant and high-risk. Corrective action should be taken immediately for all Oracle E-Business Suite environments. The most at risk implementations are those running Internet facing self-service modules (iStore for this CPU) and Integrigy rates this CPU as high risk due to the large number of cross-site scripting (XSS) vulnerabilities that can be remotely exploited without authentication.
These implementations should:
- Apply the CPU as soon as possible or use a virtual patching solution such as App Defend and
- Ensure the DMZ is properly configured according to the EBS specific instructions and the EBS URL Firewall is enabled and optimized.
Most Oracle E-Business Suite environments do not apply the CPU security patch in a timely manner and are vulnerable to full compromise of the application through exploitation of multiple vulnerabilities. If the CPU cannot be applied quickly, the only effective alternative is the use of Integrity’s App Defend, an application firewall for the Oracle E-Business Suite. App Defend provides virtual patching and can effectively replace patching of EBS web security vulnerabilities.
Oracle E-Business Suite 12.1 & 12.2 Patching
For 12.2, there are no significant changes from previous CPUs and 12.2.3 along with R12.AD.C.DELTA.10 and R12.TXK.C.DELTA.10 roll-up patches is the minimum baseline. In addition to the cumulative EBS security patch, the July 2018 WebLogic 10.3.6 PSU must be applied (PSU 10.3.6.0.180717 – Patch 27919965).
For 12.1, there are no significant changes from the previous CPUs and the major requirement is the Oracle Application Server must be upgraded to 10.1.3.5. No security patches are required for the Oracle Application Server.
Only 22.214.171.124 and 126.96.36.199 versions of the Oracle Database are supported and the database must be upgraded in order to apply this quarter’s database security patch if it has not already been upgraded. For the database there is a OJVM security patch, so either the combo patch must be applied or a separate OJVM patch must be applied to correct the vulnerability in the Java Virtual Machine (JVM) in the database which is used by Oracle E-Business Suite.
Oracle E-Business Suite 12.0
CPU support for Oracle E-Business Suite 12.0 ended January 2015 and there are no security fixes for this release. Integrity’s initial analysis of the CPU shows all 14 vulnerabilities are exploitable in 12.0. In order to protect your application environment, the Integrity App Defend application firewall for Oracle E-Business Suite provides virtual patching for all these exploitable web security vulnerabilities.
Oracle E-Business Suite 11i
As of April 2016, the 11i CPU patches are only available for Oracle customers with Tier 1 Support. Integrity’s analysis of the July 2018 CPU shows at least 6 of the 14 vulnerabilities are also exploitable in 11i. 11i environments without Tier 1 Support should implement a web application firewall and virtual patching for Oracle E-Business Suite in order to remediate the large number of unpatched security vulnerabilities. As of July 2018, an unsupported Oracle E-Business Suite 11i environment will have approximately 200 unpatched vulnerabilities – a number of which are high-risk SQL injection security bugs.
11i Tier 1 Support has been extended through December 2018, thus October 2018 will be the final CPU for Oracle E-Business Suite 11i. At this time it is unclear if Oracle will again extend support for another year, therefore, organizations should plan that support will not be extended and being to take corrective action to ensure their environments are properly secured.
- Oracle E-Business Suite Risk Matrix
- Oracle E-Business Suite Release 12 Critical Patch Update Knowledge Document (July 2018) (Doc ID 2379675.1)
- Critical Patch Updates, Security Alerts and Bulletins
- Oracle Critical Patch Update Advisory – July 2018
Next Task For You
Begin your journey towards becoming an Apps DBA by joining our FREE Masterclass on How To Become an Oracle Apps DBA (R12) & Earn A Lot More In 2020.