Critical Patches Issued for Oracle Products

Critical Patches Issued for Oracle Products

A cybersecurity alert was issued Tuesday, Jan. 14, 2020 regarding critical patches that are now available for Oracle products. Multiple vulnerabilities in Oracle products could potentially lead to the loss or theft of data. These patches address the vulnerabilities that have been found in order to prevent a potential breach.

What It Is:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

Read the original Oracle Critical Patch Update Advisory.

Systems Affected:

• Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0
• Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0
• Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0
• Enterprise Manager Ops Center, versions 12.3.3, 12.4.0
• Hyperion Financial Close Management, version 11.1.2.4
• Hyperion Planning, version 11.1.2.4
• Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0
• Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
• JD Edwards EnterpriseOne Orchestrator, version 9.2
• JD Edwards EnterpriseOne Tools, version 9.2
• MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
• MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior
• MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior
• MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior
• MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior
• MySQL Workbench, versions 8.0.18 and prior
• Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1
• Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
• Oracle Agile PLM Framework, version 9.3.3
• Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6
• Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1
• Oracle AutoVue, version 12.0.2
• Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0
• Oracle Banking Payments, versions 14.1.0-14.3.0
• Oracle Big Data Discovery, version 1.6
• Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
• Oracle Clinical, version 5.2
• Oracle Coherence, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
• Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0
• Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4
• Oracle Communications Instant Messaging Server, version 10.0.1.3.0
• Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3
• Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0
• Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3
• Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3
• Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3
• Oracle Communications Unified Inventory Management, versions 7.3, 7.4
• Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5
• Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.1.0.11, 12.2.0.1, 18c, 19c, 29, 212.2.0.1
• Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1
• Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
• Oracle Endeca Information Discovery Integrator, version 3.2.0
• Oracle Endeca Information Discovery Studio, version 3.2.0
• Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2
• Oracle Enterprise Repository, version 12.1.3.0.0
• Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3
• Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8
• Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7
• Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0
• Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0
• Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0
• Oracle GraalVM Enterprise Edition, version 19.3.0.2
• Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5
• Oracle Healthcare Master Person Index, version 3.0
• Oracle Hospitality Cruise Materials Management, version 7.30.567
• Oracle Hospitality Guest Access, version 4.2
• Oracle Hospitality OPERA 5, versions 5.5, 5.6
• Oracle Hospitality Suites Management, versions 3.7, 3.8
• Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
• Oracle iLearning, version 6.1
• Oracle Java SE, versions 7u241, 8u231, 8u241, 11.0.5, 13.0.1
• Oracle Java SE Embedded, version 8u231
• Oracle Outside In Technology, version 8.5.4
• Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3
• Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0
• Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3
• Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5
• Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
• Oracle Retail Markdown Optimization, versions 13.4, 13.4.4
• Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0
• Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
• Oracle Retail Sales Audit, version 15.0.3.16.0.2
• Oracle Secure Global Desktop, versions 5.4, 5.5
• Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
• Oracle Solaris, versions 10, 11
• Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0
• Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4
• Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3
• Oracle Utilities Work and Asset Management (v1), version 1.9.1.2
• Oracle VM Server for SPARC, version 3.6
• Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2
• Oracle WebCenter Sites, version 12.2.1.3.0
• Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
• PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2
• PeopleSoft Enterprise HCM Human Resources, version 9.2
• PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
• PeopleSoft PeopleTools, versions 8.56, 8.57
• Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1
• Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0
• Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
• Siebel Applications, versions 19.10 and prior
• Sun ZFS Storage Appliance Kit, version 8.8.6
• Tape Library ACSLS, versions 8.5, 8.5.1

Risk:
Government:
• Large and medium government entities: High
• Small government entities: High
Businesses:
• Large and medium business entities: High
• Small business entities: High
Home users: Low

What To Do:
We recommend the following actions be taken:

• Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
• Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
• Remind users not to visit websites or follow links provided by unknown or untrusted sources.
• Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
• Apply the Principle of Least Privilege to all systems and services.

Negative Consequences of Lost or Stolen Data:
The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:

• Temporary or permanent loss of sensitive or proprietary information.
• Disruption to regular operations.
• Financial losses incurred to restore systems and files.
• Potential harm to an organization’s reputation.

Should your agency or business need assistance with issues arising from vulnerabilities in Oracle products including updates and/or patches, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.