Oracle Quarterly Critical Patches Issued April 16, 2019
MS-ISAC ADVISORY NUMBER:
2019-044
DATE(S) ISSUED:
04/16/2019
OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
SYSTEMS AFFECTED:
- • Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4
- • Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
- • Enterprise Manager Ops Center, version 12.3.3
- • FMW Platform, version 12.2.1.3.0
- • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
- • JD Edwards EnterpriseOne Tools, version 9.2
- • JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4
- • MICROS Lucas, versions 2.9.5.6, 2.9.5.7
- • MICROS Relate CRM Software, version 11.4
- • MICROS Retail-J, version 12.1.2
- • MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior
- • MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior
- • MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior
- • MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
- • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5
- • Oracle API Gateway, version 11.1.2.4.0
- • Oracle Application Testing Suite, version 13.3.0.1
- • Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1
- • Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0
- • Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32
- • Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- • Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
- • Oracle Business Transaction Management, version 12.1.0
- • Oracle Commerce Merchandising, version 11.2.0.3
- • Oracle Commerce Platform, versions 11.2.0.3, 11.3.1
- • Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0
- • Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0
- • Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2
- • Oracle Communications Instant Messaging Server, version 10.0.1
- • Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2
- • Oracle Communications LSMS, versions 13.1, 13.2, 13.3
- • Oracle Communications Messaging Server, versions 8.0, 8.1
- • Oracle Communications Operations Monitor, versions 3.4, 4.0
- • Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4
- • Oracle Communications Pricing Design Center, versions 11.1, 12.0
- • Oracle Communications Service Broker Engineered System Edition, version 6.0
- • Oracle Communications Service Broker, version 6.0
- • Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
- • Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0
- • Oracle Configuration Manager, version 12.1.0
- • Oracle Configurator, versions 12.1, 12.2
- • Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
- • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
- • Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
- • Oracle Endeca Information Discovery Integrator, version 3.2.0
- • Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0
- • Oracle Enterprise Operations Monitor, versions 3.4, 4.0
- • Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
- • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 – 7.3.5, 8.0.0 – 8.0.7
- • Oracle Financial Services Asset Liability Management, versions 8.0.4 – 8.0.7
- • Oracle Financial Services Data Integration Hub, versions 8.0.5 – 8.0.7
- • Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 – 8.0.7
- • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 – 8.0.7
- • Oracle Financial Services Liquidity Risk Management, versions 8.0.2 – 8.0.6
- • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 – 8.0.7
- • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6
- • Oracle Financial Services Profitability Management, versions 8.0.4 – 8.0.6
- • Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6
- • Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
- • Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
- • Oracle Health Sciences Data Management Workbench, version 2.4.8
- • Oracle Healthcare Master Person Index, versions 3.0, 4.0
- • Oracle Hospitality Cruise Dining Room Management, version 8.0.80
- • Oracle Hospitality Cruise Fleet Management, version 9.0.11
- • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
- • Oracle Hospitality Reporting and Analytics, version 9.1.0
- • Oracle HTTP Server, version 12.2.1.3.0
- • Oracle Identity Analytics, version 11.1.1.5.8
- • Oracle Java SE Embedded, version 8u201
- • Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12
- • Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
- • Oracle Knowledge, versions 8.5.1.0 – 8.5.1.7, 8.6.0, 8.6.1
- Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0
- Oracle Outside In Technology, versions 8.5.3, 8.5.4
- Oracle Real-Time Scheduler, version 2.3.0
- Oracle Retail Convenience Store Back Office, version 3.6
- Oracle Retail Customer Engagement, versions 16.0, 17.0
- Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
- Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
- Oracle Retail Merchandising System, versions 15.0, 16.0
- Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0
- Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1
- Oracle Retail Workforce Management Software, version 1.60.9.0.0
- Oracle Retail Xstore Point of Service, versions 7.0, 7.1
- Oracle Secure Global Desktop, version 5.4
- Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
- Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
- Oracle Solaris, versions 10, 11
- Oracle Traffic Director, version 11.1.1.9.0
- Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3
- Oracle Tuxedo, version 12.1.1.0.0
- • Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.1.0, 18.1.0.0.0, 18.2.0.0.0
- Oracle Utilities Mobile Workforce Management, version 2.3.0
- Oracle Utilities Network Management System, version 1.12.0.3
- Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6
- Oracle WebCenter Portal, version 12.2.1.3.0
- Oracle WebCenter Sites, version 12.2.1.3.0
- • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
- • OSS Support Tools, version 19.1
- • PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2
- • PeopleSoft Enterprise ELM, version 9.2
- • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57
- • PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57
- • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 – 17.12, 18.8
- • Primavera Unifier, versions 16.1, 16.2, 17.7 – 17.12, 18.8
- • Siebel Applications, version 19.3
RISK:
Government:
- Large and medium government entities: HIGH
- Small government entities: HIGH
Businesses:
- Large and medium business entities: HIGH
- Small business entities: HIGH
Home Users:
LOW
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.
- Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
- Apply the Principle of Least Privilege to all systems and services.