Oracle Quarterly Critical Patches Issued October 15, 2019

racle Quarterly Critical Patches Issued October 15, 2019

MS-ISAC ADVISORY NUMBER:

2019-110

DATE(S) ISSUED:

10/16/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4
  • Diagnostic Assistant, version 2.12.36
  • Enterprise Manager Base Platform, versions 13.2, 13.3
  • Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
  • Enterprise Manager Ops Center, versions 12.3.3, 12.4.0
  • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071
  • Hyperion Data Relationship Management, version 11.1.2.4
  • Hyperion Enterprise Performance Management Architect, version 11.1.2.4
  • Hyperion Financial Reporting, version 11.1.2.4
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • JD Edwards EnterpriseOne Tools, version 4.0.1.0
  • MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0
  • MICROS Retail XBRi Loss Prevention, version 10.8.3
  • MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior
  • MySQL Enterprise Monitor, versions 8.0.17 and prior
  • MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior
  • MySQL Workbench, versions 8.0.17 and prior
  • Oracle Agile PLM, versions 9.3.3-9.3.6
  • Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle Application Testing Suite, versions 13.2, 13.3
  • Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1
  • Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
  • Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Clusterware, version 19.0.0.0.0
  • Oracle Data Integrator, version 12.2.1.3.0
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
  • Oracle Enterprise Repository, version 12.1.3.0.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8
  • Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7
  • Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle Forms, version 12.2.1.3.0
  • Oracle GoldenGate Application Adapters, version 12.3.2.1.0
  • Oracle GraalVM Enterprise Edition, version 19.2.0
  • Oracle Healthcare Foundation, versions 7.1.1, 7.2.2
  • Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1
  • Oracle Hospitality Cruise Dining Room Management, version 8.0.80
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Materials Control, version 18.1
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hospitality RES 3700, version 5.7
  • Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13
  • Oracle Java SE Embedded, version 8u221
  • Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle NoSQL Database, versions prior to 19.3.12
  • Oracle Outside In Technology, version 8.5.4
  • Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15
  • Oracle Policy Automation Connector for Siebel, version 10.4.6
  • Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15
  • Oracle Retail Customer Insights, versions 15.0, 16.0
  • Oracle Retail Customer Management and Segmentation Foundation, version 17.0
  • Oracle Retail Integration Bus, versions 15.0, 16.0
  • Oracle Retail Xstore Office, version 7.1
  • Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0
  • Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle SOA Suite, version 12.2.1.3.0
  • Oracle Solaris, versions 10, 11
  • Oracle Virtual Directory, version 11.1.1.9.0
  • Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14
  • Oracle Web Services, version 12.2.1.3.0
  • Oracle WebCenter Portal, version 12.2.1.3.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8
  • Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8
  • Siebel Applications, versions 19.8 and prior

RISK:

Government:

  • Large and medium government entities: HIGH
  • Small government entities: HIGH

Businesses:

  • Large and medium business entities: HIGH
  • Small business entities: HIGH

Home Users:

LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES: