Oracle Quarterly Critical Patches Issued January 14, 2020

Oracle Quarterly Critical Patches Issued January 14, 2020

MS-ISAC ADVISORY NUMBER:

2020-007

DATE(S) ISSUED:

01/14/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0
  • Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0
  • Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0
  • Enterprise Manager Ops Center, versions 12.3.3, 12.4.0
  • Hyperion Financial Close Management, version 11.1.2.4
  • Hyperion Planning, version 11.1.2.4
  • Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • JD Edwards EnterpriseOne Orchestrator, version 9.2
  • JD Edwards EnterpriseOne Tools, version 9.2
  • MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
  • MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior
  • MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior
  • MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior
  • MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
  • MySQL Workbench, versions 8.0.18 and prior
  • Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1
  • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
  • Oracle Agile PLM Framework, version 9.3.3
  • Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6
  • Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
  • Oracle AutoVue, version 12.0.2
  • Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0
  • Oracle Banking Payments, versions 14.1.0-14.3.0
  • Oracle Big Data Discovery, version 1.6
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Clinical, version 5.2
  • Oracle Coherence, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0
  • Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4
  • Oracle Communications Instant Messaging Server, version 10.0.1.3.0
  • Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3
  • Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0
  • Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3
  • Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3
  • Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3
  • Oracle Communications Unified Inventory Management, versions 7.3, 7.4
  • Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.1.0.11, 12.2.0.1, 18c, 19c, 29, 212.2.0.1
  • Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
  • Oracle Endeca Information Discovery Integrator, version 3.2.0
  • Oracle Endeca Information Discovery Studio, version 3.2.0
  • Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2
  • Oracle Enterprise Repository, version 12.1.3.0.0
  • Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8
  • Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7
  • Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0
  • Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0
  • Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0
  • Oracle GraalVM Enterprise Edition, version 19.3.0.2
  • Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5
  • Oracle Healthcare Master Person Index, version 3.0
  • Oracle Hospitality Cruise Materials Management, version 7.30.567
  • Oracle Hospitality Guest Access, version 4.2
  • Oracle Hospitality OPERA 5, versions 5.5, 5.6
  • Oracle Hospitality Suites Management, versions 3.7, 3.8
  • Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle iLearning, version 6.1
  • Oracle Java SE, versions 7u241, 8u231, 8u241, 11.0.5, 13.0.1
  • Oracle Java SE Embedded, version 8u231
  • Oracle Outside In Technology, version 8.5.4
  • Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3
  • Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3
  • Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
  • Oracle Retail Markdown Optimization, versions 13.4, 13.4.4
  • Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0
  • Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
  • Oracle Retail Sales Audit, version 15.0.3.16.0.2
  • Oracle Secure Global Desktop, versions 5.4, 5.5
  • Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle Solaris, versions 10, 11
  • Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0
  • Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4
  • Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3
  • Oracle Utilities Work and Asset Management (v1), version 1.9.1.2
  • Oracle VM Server for SPARC, version 3.6
  • Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
  • Oracle WebCenter Sites, version 12.2.1.3.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
  • PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft PeopleTools, versions 8.56, 8.57
  • Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1
  • Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
  • Siebel Applications, versions 19.10 and prior
  • Sun ZFS Storage Appliance Kit, version 8.8.6
  • Tape Library ACSLS, versions 8.5, 8.5.1

RISK:

Government:

  • Large and medium government entities: HIGH
  • Small government entities: HIGH

Businesses:

  • Large and medium business entities: HIGH
  • Small business entities: HIGH

Home Users:

LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES: