X
Subscribe To Our Blog
Enter your email address to find out what’s happening with IT, cybersecurity, Compliance and more from Dox!
FIRST NAME
LAST NAME

EMAIL

SEVERAL VULNERABILITIES IDENTIFIED IN ORACLE PRODUCTS

A cybersecurity alert was issued Tuesday, April 20, 2021, regarding multiple vulnerabilities in Oracle products. The vulnerabilities could allow an attacker to execute remote code, which could potentially lead to a breach.

What It Is:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution. This information has been collected and distributed in Oracle's quarterly critical patches release.

Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution within the context of a privileged process. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If this application has been configured to have fewer user rights on the system, exploitation of the most severe of these vulnerabilities could have less impact than if it was configured with administrative rights.

Read Oracle's original Security Alert.

Systems Affected:

  • Oracle Application Express, versions prior to 20.2
  • Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c
  • Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.22
  • Oracle NoSQL Database, versions prior to 20.3
  • Oracle REST Data Services, versions prior to 20.4.3.50.1904
  • Oracle Spatial Studio, versions prior to 19.1.0, prior to 20.1.1
  • Oracle SQL Developer, versions prior to 20.4.1.407.6
  • Oracle Commerce Guided Search, versions 11.0, 11.1
  • Oracle Commerce Merchandising, versions 11.0, 11.0.11.1, 11.1
  • Oracle Communications Calendar Server, version 8.0
  • Oracle Communications Contacts Server, version 8.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Messaging Server, versions 8.0.2, 8.1, 8.1.0
  • Oracle Communications MetaSolv Solution, versions 6.3.0, 6.3.1
  • Oracle Communications Unified Inventory Management, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1
  • Oracle Communications Application Session Controller, version 3.9m0p3
  • Oracle Communications Converged Application Server - Service Controller, version 6.2
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
  • Oracle Communications Performance Intelligence Center Software, versions 10.4.0.2, 10.4.0.3
  • Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0
  • Oracle Communications Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Session Router, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Subscriber-Aware Load Balancer, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Unified Session Manager, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Enterprise Communications Broker, versions PCZ3.1, PCZ3.2, PCZ3.3
  • Oracle Enterprise Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle SD-WAN Aware, version 8.2
  • Oracle SD-WAN Edge, versions 8.2, 9.0
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • Primavera Gateway, versions 17.12.0-17.12.10
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
  • Enterprise Manager Base Platform, version 13.4.0.0
  • Enterprise Manager for Fusion Middleware, versions 12.2.1.4, 13.4.0.0
  • Enterprise Manager for Virtualization, version 13.4.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Oracle Banking Platform, versions 2.4.0, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle Hospitality Inventory Management, version 9.1.0
  • Oracle Hospitality RES 3700, versions 5.7.0-5.7.6
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Endeca Information Discovery Studio, version 3.2.0.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Fusion Middleware, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle Identity Manager Connector, version 11.1.1.5.0
  • Oracle Outside In Technology, version 8.5.5
  • Oracle Platform Security for Java, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Service Bus, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Health Sciences Empirica Signal, versions 9.0, 9.1
  • Oracle Health Sciences Information Manager, versions 3.0.0-3.0.2
  • Oracle Healthcare Foundation, versions 7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1
  • Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
  • Oracle Hospitality OPERA 5, versions 5.5, 5.6
  • Hyperion Analytic Provider Services, versions 11.1.2.4, 12.2.1.4
  • Hyperion Financial Management, version 11.1.2.4
  • Oracle iLearning, versions 6.2, 6.3
  • Oracle Insurance Data Gateway, version 1.0.2.3
  • Oracle GraalVM Enterprise Edition, versions 19.3.5, 20.3.1.2, 21.0.0.2
  • Oracle Java SE, versions 7u291, 8u281, 11.0.10, 16
  • Oracle Java SE Embedded, version 8u281
  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.4.0, prior to 9.2.5.3
  • JD Edwards World Security, version A9.4
  • MySQL Cluster, versions 8.0.23 and prior
  • MySQL Enterprise Monitor, versions 8.0.23 and prior
  • MySQL Server, versions 5.7.33 and prior, 8.0.23 and prior
  • MySQL Workbench, versions 8.0.23 and prior
  • PeopleSoft Enterprise CS Campus Community, version 9.2
  • PeopleSoft Enterprise FIN Common Application Objects, version 9.2
  • PeopleSoft Enterprise FIN Expenses, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Category Management Planning & Optimization, version 16.0.3
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0
  • Oracle Retail Insights Cloud Service Suite, version 19.0
  • Oracle Retail Item Planning, version 16.0.3
  • Oracle Retail Macro Space Optimization, version 16.0.3
  • Oracle Retail Merchandise Financial Planning, version 16.0.3
  • Oracle Retail Merchandising System, version 16.0.3
  • Oracle Retail Point-of-Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0
  • Oracle Retail Regular Price Optimization, version 16.0.3
  • Oracle Retail Replenishment Optimization, version 16.0.3
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Sales Audit, version 14.0
  • Oracle Retail Size Profile Optimization, version 16.0.3
  • Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5
  • Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2
  • Siebel Applications, versions 21.2 and prior
  • Oracle Cloud Infrastructure Storage Gateway, versions prior to 1.4
  • Oracle Storage Cloud Software Appliance, versions 16.3.1.4.1 and prior
  • Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, versions 3.5, 3.6
  • Agile Product Lifecycle Management Integration Pack for SAP: Design to Release, versions 3.5, 3.6
  • Oracle Advanced Supply Chain Planning, versions 12.1, 12.2
  • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
  • Oracle Rapid Planning, version 12.1.3
  • OSS Support Tools, versions prior to 2.12.41
  • Oracle Solaris, versions 10, 11
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
  • Oracle Secure Global Desktop, version 5.6
  • Oracle VM VirtualBox, versions prior to 6.1.20

Risk:

Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

What To Do:

We recommend the following actions be taken:
  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Negative Consequences of Lost or Stolen Data:

The loss or theft of proprietary data can have severe impacts, particularly if the compromise becomes public and sensitive information is exposed. Possible impacts include:
  • Temporary or permanent loss of sensitive or proprietary information.
  • Disruption to regular operations.
  • Financial losses incurred to restore systems and files.
  • Potential harm to an organization’s reputation.
Should your agency or business need assistance with issues arising from vulnerabilities in Oracle products including updates, Dox can help. Please contact Dox if there is anything we can do to assist in securing your agency, business, or organization.

Thank you for your time and stay safe online.
Share This Posting
Copyright ©   DoxWeb Design & SEO by Scriptable Solutions