Oracle Quarterly Critical Patches Issued January 15, 2019

Oracle Quarterly Critical Patches Issued January 15, 2019

MS-ISAC ADVISORY NUMBER:

2019-006

DATE(S) ISSUED:

01/15/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.2, 13.3

  • Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3, 13.3.1

  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.3

  • Hyperion BI+, version 11.1.2.4

  • Java Advanced Management Console, version 2.12

  • JD Edwards EnterpriseOne Tools, version 9.2

  • JD Edwards World Security, versions A9.3, A9.3.1, A9.4

  • MySQL Connectors, versions 2.1.8 and prior, 8.0.13 and prior

  • MySQL Enterprise Monitor, versions 4.0.7 and prior, 8.0.13 and prior

  • MySQL Server, versions 5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior

  • MySQL Workbench, versions 8.0.13 and prior

  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1

  • Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1

  • Oracle API Gateway, version 11.1.2.4.0

  • Oracle Application Testing Suite, versions 13.1.0.1, 13.2.0.1, 13.3.0.1

  • Oracle Argus Safety, versions 8.1, 8.2

  • Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2

  • Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0

  • Oracle Communications Billing and Revenue Management, versions 7.5, 12.0

  • Oracle Communications Converged Application Server, versions prior to 7.0.0.1

  • Oracle Communications Converged Application Server – Service Controller, version 6.1

  • Oracle Communications Diameter Signaling Router (DSR), versions prior to 8.3

  • Oracle Communications Online Mediation Controller, version 6.1

  • Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1

  • Oracle Communications Policy Management, versions prior to 12.5

  • Oracle Communications Service Broker, version 6.0

  • Oracle Communications Services Gatekeeper, versions prior to 6.1.0.4.0

  • Oracle Communications Session Border Controller, versions prior to SCz7310p4, prior to SCz740m2p3, prior to SCz741m1p5, prior to SCz800p7, prior to SCz810m1p9

  • Oracle Communications Unified Inventory Management, versions prior to 7.4.0

  • Oracle Communications Unified Session Manager, versions prior to SCz740m2p3, prior to SCz741m1p5, prior to SCz810m1p9

  • Oracle Communications WebRTC Session Controller, versions prior to 7.2

  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c

  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8

  • Oracle Endeca Server, version 7.7.0

  • Oracle Enterprise Communications Broker, versions prior to PCz220p1, prior to PCz300p2

  • Oracle Enterprise Repository, versions 12.1.3.0.0

  • Oracle Enterprise Session Border Controller, versions prior to ECz750p12, prior to ECz800p5

  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7

  • Oracle FLEXCUBE Direct Banking, version 12.0.2

  • Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0

  • Oracle Fusion Middleware MapViewer, version 12.2.1.3.0

  • Oracle GoldenGate Application Adapters, version 12.3.2.1.1

  • Oracle Health Sciences Information Manager, version 3.0

  • Oracle Healthcare Foundation, versions 7.1, 7.2

  • Oracle Healthcare Master Person Index, versions 3.0, 4.0

  • Oracle Hospitality Cruise Fleet Management, version 9.0.10

  • Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.8

  • Oracle Hospitality Reporting and Analytics, version 9.1.0

  • Oracle Hospitality Simphony, version 2.10

  • Oracle HTTP Server, version 12.2.1.3

  • Oracle Insurance Calculation Engine, version 10.2

  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.2, 5.4, 5.5

  • Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2

  • Oracle Insurance Rules Palette, versions 10.0, 10.2

  • Oracle Java SE, versions 7u201, 8u192, 11.0.1

  • Oracle Java SE Embedded, version 8u191

  • Oracle Managed File Transfer, versions 12.2.1.3.0, 19.1.0.0.0

  • Oracle Outside In Technology, versions 8.5.3, 8.5.4.

  • Oracle Reports Developer, version 12.2.1.3

  • Oracle Retail Back Office, versions 13.3, 13.4, 14.0, 14.1

  • Oracle Retail Central Office, versions 13.3, 13.4, 14.0, 14.1

  • Oracle Retail Convenience and Fuel POS Software, version 2.8.1

  • Oracle Retail Customer Insights, versions 15.0, 16.0

  • Oracle Retail Integration Bus, version 17.0

  • Oracle Retail Merchandising System, version 14.1

  • Oracle Retail Returns Management, versions 13.3, 13.4, 14.0, 14.1

  • Oracle Retail Sales Audit, version 15.0

  • Oracle Retail Service Backbone, versions 13.1, 13.2, 14.0, 14.1, 15.0, 16.0

  • Oracle Retail Workforce Management Software, versions 1.60.9, 1.64.0

  • Oracle Retail Xstore Payment, version 3.3

  • Oracle Secure Global Desktop (SGD), version 5.4

  • Oracle Service Architecture Leveraging Tuxedo, versions 12.1.3.0.0, 12.2.2.0.0

  • Oracle SOA Suite, versions 12.1.3.0.0, 12.2.1.3.0

  • Oracle Transportation Management, versions 6.3.7, 6.4.1, 6.4.2, 6.4.3

  • Oracle Utilities Framework, version 4.3.0.1-4.3.0.4

  • Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2

  • Oracle VM VirtualBox, versions prior to 5.2.24, prior to 6.0.2

  • Oracle Web Cache, version 11.1.1.9.0

  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0

  • Oracle WebCenter Sites, version 11.1.1.8.0

  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3

  • OSS Support Tools, versions prior to 19.1

  • PeopleSoft Enterprise CC Common Application Objects, version 9.2

  • PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2

  • PeopleSoft Enterprise HCM eProfile Manager Desktop, version 9.2

  • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57

  • PeopleSoft Enterprise SCM eProcurement, version 9.2

  • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8

  • Primavera Unifier, versions 16.1, 16.2, 17.1-17.12, 18.8

  • Siebel Applications, versions 18.10, 18.11, 18.12

  • Solaris, versions 10, 11

  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.8.1

  • Tape Library ACSLS, version 8.4

RISK:

Government:

  • Large and medium government entities: HIGH

  • Small government entities: HIGH

Businesses:

  • Large and medium business entities: HIGH

  • Small business entities: HIGH

Home Users:

LOW

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Oracle:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

More information
https://www.cisecurity.org/advisory/oracle-quarterly-critical-patches-issued-ja…