Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.
Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.
Of the critical patches, security researchers at Onapsis said that they identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).
“While all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,” said JP Perez-Etchegoyen, CTO of Onapsis.
Onapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.
Perez-Etchegoyen said each of the SQL injection vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business’ enterprise resource planning, supply chain management or finance management systems.
“These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,” Perez-Etchegoyen said.