Oracle Patches 250 Bugs in Quarterly Critical Patch Update

Oracle Patches 250 Bugs in Quarterly Critical Patch Update

http://ift.tt/2x2AZtn

Oracle patched 250 vulnerabilities across hundreds of different products as part of its quarterly Critical Patch Update released today.

Rounding out the list of products with the most patches is Oracle Fusion Middleware with 38 patches, Oracle Hospitality Applications with 37 and Oracle MySQL with 25.

The bulletin does not immediately indicate the number of critical patches. However, security researchers at Onapsis said that it identified three high-risk SQL injections vulnerabilities in Oracle’s popular Oracle E-Business Suite (EBS).

“While all three are high-risk vulnerabilities, one (CVE-2017-10332) is very easy to exploit,” said JP Perez-Etchegoyen, CTO of Onapsis.

Onapsis is warning users of Oracle EBS (versions 12.1 and 12.2) that they are exposed to SQL injection vulnerabilities that could allow an attacker, over a network without any username and password credentials, to potentially gain access to and modify critical documents and information such as credit card data, customer information, HR documents or financial records.

Perez-Etchegoyen said each of the SQL injections vulnerabilities can easily be exploited by attackers who can disrupt, exfiltrate or manipulate data that is part of a business’ enterprise resource planning, supply chain management or finance management systems.

“These vulnerabilities are especially risky as an attacker would only need a web browser and network access to the EBS system HTTP interface to perform it,” Perez-Etchegoyen said.

Onapsis said vulnerabilities found in Oracle’s EBS are on the rise, with a 29 percent increase in 2017 compared to the previous year.

The patches come just weeks after Oracle OpenWorld where Larry Ellison, co-founder, executive chairman and chief technology officer of Oracle, stressed the importance of security during his keynote. Ellison also used the occasion to stress the importance of software patching in light of the recent Equifax breach.

Last month, Oracle used its advisory as an opportunity to remind users that in April it fixed the Struts vulnerability (CVE-2017-5638) which was behind Equifax’s massive breach of 143 million Americans,

Organizations are falling down when it comes to patching their most important business-critical applications, Perez-Etchegoyen said.

Citing a recent Ponemon Research study, Perez-Etchegoyen said less than half of the 600 respondents interviewed said they have a monthly plan to implement security patches for their Oracle EBS applications. Seventy percent believe it is likely their company would have a data breach due to insecure Oracle EBS applications that they have failed to secure or apply patches to.

Also part of Oracle’s quarterly update are patches for its Java Platform, Standard Edition that received 22 new security fixes. Twenty of these vulnerabilities may be remotely exploitable without authentication, for example, they may be exploited over a network without requiring user credentials, Oracle said. The highest CVSS base score of vulnerabilities affecting Oracle Java SE is 9.6.

Impacted are Java Advanced Management Console, Java SE, Java SE Embedded and JRockit.

Oracle Database Server received six security fixes with two of the vulnerabilities remotely exploitable without authentication. Affected Oracle Database Server components include Spatial (Apache Groovy), WLM (Apache Tomcat), Java VM, RDBMS Security, Core RDBMS and XML Database.

 

Security News

via Threatpost | The first stop for security news http://threatpost.com

October 17, 2017 at 06:13PM

Do Work!

Do Work!

http://ift.tt/2ywXqdJ

Finding the way to your first job in cyber security
Publish to Facebook: 
No

By Jonathan Omansky, Senior Director, Development, Security Technology & Response Team

Symantec’s Jonathan Omansky provides a simple set of steps to launch a career in cyber security and to address the critical shortage of qualified cyber security professionals. Check out his first article on how to break into the cyber security field. This week he focuses on step two: research, learn, and assess—and most importantly, do work!

I was raised to know that education and hard work provide opportunities. If I didn’t know how to do something, I learned it through whatever means possible. If books or teachers weren’t available, I’d watch someone (or three people if need be) do a task and then emulate what I saw. I’d read up on a topic, try different ways of getting something done, and learn from my errors.

Let’s use learning how to build an automobile engine as an example. It’s a big job and what I quickly learned is that all big goals need to be broken up into smaller, more digestible chunks of learning. I also learned that I didn’t need to know how to construct the whole engine at first. Instead, I started by focusing on my needs at the time. For instance, I could start by learning how to change the oil or replace a spark plug, completing smaller tasks that allowed me to move forward towards my ultimate goal.

This approach is no different in security. It may seem daunting to learn how to code, to reverse engineer, or to construct a sound security architecture system. If you have interest and ability, the great thing about the security field is people are hiring even if you only currently know how to “change the oil”. Opportunities in cyber security exist at all levels, and now is the best time to jump in!

This brings me to my next bit of advice for those keen on entering our field. Below you’ll find six simple steps to launch a career in cyber security and in this article, I’ll cover the second step, research, learn, and assess, in detail.

  1. Define your career focus
  2. Research, learn, and assess
  3. Read and write
  4. Formulate a view of the attack 
  5. Make friends, make lots of different friends
  6. Don’t be afraid to be wrong


Above: Jonathan Omansky visits Year Up Bay Area as a guest speaker for Symantec Cyber Career Connection students, where he offered tips on cyber security as well as career guidance.

#2. Research, learn, and assess

If you haven’t already selected an area of focus based on my previous blog recommendations, or are overwhelmed by the process of choosing an area, this approach might help.

Research

Many of the interns I’ve mentoredfrom colleges, prep schools, retraining programs, and other learning institutions came into their internships with no exposure to security at all. In these situations, the first thing we work on is finding an area of security that interests them. To do this, I give all interns a learning task, for example, reading up on the latest corporate hack or information leak.

You can find these examples using resources like RSS feeds or news aggregators and focusing your reading on all things cyber security. This is one of my favorite news feeds and Symantec’s own Security Response blog is a great place to start. Twitter is also an excellent resource for reading up on the latest cyber security news. Find a handful of well-known cyber security professionals (including yours truly @jomansky), follow them, and the add some of their followers.

From there I ask them to break down the technical aspects of the story, focusing on things like: why the topic is important; what the risks are and who is at risk; how to detect the threat; and how to protect against it. This process often helps students find topics they are excited to learn about, and provides me with an opportunity to shape their internships.

Learn

Once you’ve defined your focus, it’s up to you to dive in and learn to “change the oil”. Let’s use incident response (IR) as an example. There are a ton of books, blogs, videos, and other learning materials that provide the basic steps on responding to an incident. These tools vary in length and complexity, and once you’ve explored a handful you’ll begin to see a pattern. You’ll learn about IR fundamentals from the perspective of a CSO, a CISO, a junior analyst, a government worker, and more.

It’s also helpful to review articles about actual incidents across different business sectors. Reading the analyst’s view of a particular incident can help you learn what he or she did right or wrong, where technology played a role, and where it was a people or process breakdown. This should give you a sense of what responding to an incident looks like, and give you insight into how to correct specific problems from happening again.

Learning about IR strategies is a great first step. When paired with technical awareness of the tools an incident responder might use to do the job, many of which are free or have trial versions along with demos, you are on your way to your first career opportunity in cyber security.

Assess

After researching security areas, and learning all you can, I next suggest assessing where your knowledge gaps are, and filling them. Focusing on what you’re missing can help ensure you have the full range of knowledge on a topic and that you can speak to it when asked in an interview. Taking incident response as our example again, review the duties and expectations of a dozen incident responder-related jobs, to see where you still need to build skills. Focus on what you’re missing and how you plan to gain that knowledge. The information is out there; go get it!

Though we focused on only one particular category of the cyber security space, incident response, as our example, the approach is the same for all positions, even the more technically advanced roles. The tools and knowledge are available and the cyber security skills gap in today’s job market needs to be filled. It’s up to you to grab this information, learn it, and get your foot in the door.

Follow our CR in Action blog for more on how to launch a cyber security career. Interested in a career in cyber security? Learn more about the Symantec Cyber Career Connection(Symantec C3), which provides a mix of targeted classroom education, non-technical skills development, and cyber security internships to position students to fill in-demand cyber security 

Additional Authors: 

Security News

via Symantec Connect – Security – Blog-Einträge http://ift.tt/2eQnB7E

October 17, 2017 at 06:11PM

Vuln: Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

http://ift.tt/2ghnO0M

Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Bugtraq ID: 101303
Class: Unknown
CVE:

CVE-2017-10416

Remote: Yes
Local: No
Published: Oct 18 2017 12:00AM
Updated: Oct 18 2017 12:00AM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

http://ift.tt/2yos4GF

Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

Bugtraq ID: 101308
Class: Unknown
CVE:

CVE-2017-10417

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

Vuln: Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

http://ift.tt/2ghnLlC

Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

Bugtraq ID: 101300
Class: Unknown
CVE:

CVE-2017-10329

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Juan Pablo Perez Etchegoyen of Onapsis
Vulnerable:

Oracle E-Business Suite 12.2.7

Oracle E-Business Suite 12.2.6

Oracle E-Business Suite 12.2.3

Oracle E-Business Suite 12.1.2

Oracle E-Business Suite 12.1.1

Oracle E-Business Suite 12.2.5

Oracle E-Business Suite 12.2.4

Oracle E-Business Suite 12.1.3

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Vuln: Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

Vuln: Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

http://ift.tt/2yptr7V

Oracle Hospitality Hotel Mobile CVE-2017-10014 Remote Security Vulnerability

Bugtraq ID: 101299
Class: Unknown
CVE:

CVE-2017-10014

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Oracle
Vulnerable:

Oracle Hospitality Hotel Mobile 1.1

Not Vulnerable:

Security News

via SecurityFocus Vulnerabilities http://ift.tt/Y0pFEv

October 17, 2017 at 06:07PM

Windows Kernel Pool nt!NtQueryObject Memory Disclosure

Windows Kernel Pool nt!NtQueryObject Memory Disclosure

http://ift.tt/2grInLL

It was discovered that the nt!NtQueryObject syscall handler discloses portions of uninitialized pool memory to user-mode clients when certain conditions are met.

Security News

via Exploit Files ≈ Packet Storm http://ift.tt/1Fpvz7L

October 17, 2017 at 05:24PM

WordPress Influencer Marketing And Press Release System 2.2 XSS

WordPress Influencer Marketing And Press Release System 2.2 XSS

http://ift.tt/2ysvJAI

WordPress Influencer Marketing And Press Release System 2.2 XSS

WordPress Influencer Marketing And Press Release System 2.2 XSS
Posted Oct 16, 2017
Authored by Ricardo Sanchez

WordPress Influencer Marketing and Press Release System plugin version 2.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | bb9fd8af678bc4aeb2ce39173e2416cb

WordPress Influencer Marketing And Press Release System 2.2 XSS

Class  Input Validation Error
Remote Yes
Reflected Yes

Credit Ricardo Sanchez
Vulnerable Influencer Marketing & Press Release System plugin 2.2
Influencer Marketing & Press Release System plugin is prone to a
cross-site scripting
vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker may leverage this issue to execute arbitrary script code in the
browser of an unsuspecting user in the context of the affected site. This
may allow the attacker to steal cookie-based authentication credentials and
to launch other attacks.

To exploit this issue following steps:
The XSS reflected because the "impress_s" value is not filter correcly
and it is possible bypassing the

sanitize_text_field() wordpress function:

<input type="text" id="impress_search_feed_input" name="impress_s"
value="<?php echo (isset($_GET['impress_s']) &&
!empty($_GET['impress_s'])) ? sanitize_text_field($_GET['impress_s'])
: ""; ?>" required="required" />


Demo url:*http://localhost/wordpress/wp-admin/admin.php?impress_s=
<http://localhost/wordpress/wp-admin/admin.php?impress_s=>"
onmouseover=alert(1)
display=&page=imkt_feed&impress_search_btn=impress_search_feed_btn*

Security News

via Exploit Files ≈ Packet Storm http://ift.tt/1Fpvz7L

October 17, 2017 at 05:24PM

BrandPost: Cyberinsurance shifts to the mainstream

BrandPost: Cyberinsurance shifts to the mainstream

http://ift.tt/2ytFajm

Cyberinsurance shifts to the mainstream

By Paul Gillin

With cyberattacks growing more common and ferocious, now is a good time to look into cyberinsurance. Be prepared to ask a lot of questions before making a decision. The market for these new-fangled policies is still young, which means coverage and costs differ widely between providers.

Cyberinsurance basically protects your business against catastrophic losses in the event of a security breach. Not surprisingly, its popularity is growing. A survey conducted last year by the Risk and Insurance Management Society found that 80 percent of companies bought a stand-alone cybersecurity policy in 2016, up 29 percent from the year before. Premiums totaled $1.35 billion last year, up 35 percent from 2015.

Insurance can cover a wide variety of costs related to a breach, including investigation expenses, compensating the business for losses due to downtime, business interruption, costs of notifying affected customers and business partners and legal costs related to lawsuits and extortion.

You might find that your existing liability policy contains clauses related to cyberinsurance, but experts generally agree that a stand-alone policy is a better bet. General liability policies may cover only property damage, which is almost irrelevant in a cyberattack. It’s also a good idea to ask if coverage can be retroactive, since it takes more than 200 days for the average business to discover that it has been breached.

Determine what types of attacks are covered. Insurance companies won’t pay out if they believe an insured client hasn’t put appropriate protections in place. Phishing attacks, which are growing quickly and which use social engineering instead of software, may not be covered under those terms. Your ability to prove that you have employee education programs in place can become important in these types of attacks.

Deductibles are all over the map. As with any insurance policy, determine how much cost your company can comfortably absorb before you need insurance. The higher that number, the lower the premium. Ransomware attacks, which tripled last year and now occur once every 40 seconds, generally demand smaller payouts and may come in under the deductible threshold for many policies, making ransomware protection basically pointless.

Ask if coverage also extends to third parties, such as business partners and service providers. You don’t want your business to be left dead in the water because your internet service falls victim to a denial-of-service attack.

Check into coverage limits for legal settlements and related costs, such as providing credit monitoring services for affected customers. Also consider the cost of damaged reputation and the communications expenses that may be necessary to restore customer confidence.

Cyberinsurance isn’t a get-out-of-jail-free card. Most policies will stipulate that you must make a good-faith effort to defend yourself. At a minimum, be ready to show that all employees are aware of good password, authentication and data protection procedures. It’s also helpful if you can show that you have engaged third parties to advise you and performed regular penetration testing and incident response drills. Some insurance companies may request an audit before writing a policy or surprise audits after the fact. Don’t go seeking insurance until you are sure that your own security house is in order.

Finally, shop around. While there are more than 130 insurance organizations writing premiums, their offerings can vary dramatically. Look at not only their coverage but their alliances. This new type of insurance can protect an organization in new and often surprising ways.

Paul Gillin writes, speaks and trains marketers and corporate executives to think like publishers. Gillin specializes in social media for B2B companies. He is a veteran technology journalist with more than 25 years of editorial leadership experience. All opinions expressed are his own. AT&T has sponsored this blog post.

Be one of the first to receive the latest AT&T Cybersecurity Insights report, Mind the Gap: Cybersecurity’s Big Disconnect. You’ll learn more about minimizing gaps in your cybersecurity strategy and how to defend against the growing cyberthreats. Sign up today!

Security News

via CSO Online http://ift.tt/2gDzvif

October 17, 2017 at 05:14PM

CVE-2017-15537

CVE-2017-15537

http://ift.tt/2x27gAP

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because
they may have information that would be of interest to you. No inferences should be drawn on account of other sites
being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose.
NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further,
NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about
this page to nvd@nist.gov.

Technical Details

Vulnerability Type
(View All)

Security News

via National Vulnerability Database http://ift.tt/OD63ZH

October 17, 2017 at 04:25PM