Oracle has issued its regular set of security patches for the January quarter, addressing a grand total of 334 vulnerabilties in multiple products with many flaws being remotely exploitable with no user credentials.
Security vendor Onapsis researcher Martin Doyhenard is credited by Oracle for finding the two bugs rated the most serious with a 9.9 Common Vulnerabilities Scoring System (CVSS) 3.0 index each.
The vulnerabilties in Oracle’s Human Resources Hierarchy Diagrammers module, part of the E-Business Suite versions 12.1.1-12.1.3 12.2.3-12.2.9 enterprise resource planning software, can be exploited remotely with no authentication or user interaction required, with attacks being easy to conduct.
Onapsis said the vulnerabilities it reported can be exploited by attackers to create malicious wire transfers, or printing fake cheques.
The two vulnerabilties are related to previous flaws in Oracle’s Thin Client Framework (TCF) that uses Java Database Connectivity drivers.
They go back as far as 2017 when Onapsis first reported them, and have received patches since then.
Even though the new vulnerabilities are in the Human Resources module, Oracle warned that “attacks may significantly impact additional products.”
Apart from fraud scenarios, unpatched Oracle EBS systems are at risk of data compromise.
In total, Oracle EBS received 23 patches, with 21 vulnerabilities in the January CPU being listed as remotely exploitable without authentication.
Oracle’s Communication Applications suite modules such as the Instant Messaging Server, Interactive Session Recorder, IP Service Activator and Unified Inventory Management are likewise vulnerable to remote attacks without authentication, with five flaws rated at CVSS 9.8 each.
A further 34 CVSS 9.8 vulnerabilities are found in Oracle’s Construction and Engineering, Enterprise Manager, Fusion Middleware, GraalVM, Health Sciences, Hyperion, JD Edwards, PeopleSoft, Retail Applications, Siebel, Systems, and Utilities Applications modules.
Oracle warns that it continues to periodically receive reports of malicious attempts at exploiting vulnerabilities for which patches have been released, but which customers have failed to apply.
The IT giant urged customers to use only actively supported versions of products, and to apply critical security patches without delay.