CIS Logo
tagline: Confidence in the Connected World

Oracle Quarterly Critical Patches Issued April 16, 2019

MS-ISAC ADVISORY NUMBER:

2019-044

DATE(S) ISSUED:

04/16/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • • Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4
  • • Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
  • • Enterprise Manager Ops Center, version 12.3.3
  • • FMW Platform, version 12.2.1.3.0
  • • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • • JD Edwards EnterpriseOne Tools, version 9.2
  • • JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4
  • • MICROS Lucas, versions 2.9.5.6, 2.9.5.7
  • • MICROS Relate CRM Software, version 11.4
  • • MICROS Retail-J, version 12.1.2
  • • MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior
  • • MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior
  • • MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior
  • • MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
  • • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5
  • • Oracle API Gateway, version 11.1.2.4.0
  • • Oracle Application Testing Suite, version 13.3.0.1
  • • Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1
  • • Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0
  • • Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32
  • • Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • • Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • • Oracle Business Transaction Management, version 12.1.0
  • • Oracle Commerce Merchandising, version 11.2.0.3
  • • Oracle Commerce Platform, versions 11.2.0.3, 11.3.1
  • • Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0
  • • Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0
  • • Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2
  • • Oracle Communications Instant Messaging Server, version 10.0.1
  • • Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2
  • • Oracle Communications LSMS, versions 13.1, 13.2, 13.3
  • • Oracle Communications Messaging Server, versions 8.0, 8.1
  • • Oracle Communications Operations Monitor, versions 3.4, 4.0
  • • Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4
  • • Oracle Communications Pricing Design Center, versions 11.1, 12.0
  • • Oracle Communications Service Broker Engineered System Edition, version 6.0
  • • Oracle Communications Service Broker, version 6.0
  • • Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
  • • Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0
  • • Oracle Configuration Manager, version 12.1.0
  • • Oracle Configurator, versions 12.1, 12.2
  • • Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
  • • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
  • • Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
  • • Oracle Endeca Information Discovery Integrator, version 3.2.0
  • • Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0
  • • Oracle Enterprise Operations Monitor, versions 3.4, 4.0
  • • Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
  • • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 - 7.3.5, 8.0.0 - 8.0.7
  • • Oracle Financial Services Asset Liability Management, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Data Integration Hub, versions 8.0.5 - 8.0.7
  • • Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Liquidity Risk Management, versions 8.0.2 - 8.0.6
  • • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 - 8.0.7
  • • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6
  • • Oracle Financial Services Profitability Management, versions 8.0.4 - 8.0.6
  • • Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6
  • • Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
  • • Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
  • • Oracle Health Sciences Data Management Workbench, version 2.4.8
  • • Oracle Healthcare Master Person Index, versions 3.0, 4.0
  • • Oracle Hospitality Cruise Dining Room Management, version 8.0.80
  • • Oracle Hospitality Cruise Fleet Management, version 9.0.11
  • • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • • Oracle HTTP Server, version 12.2.1.3.0
  • • Oracle Identity Analytics, version 11.1.1.5.8
  • • Oracle Java SE Embedded, version 8u201
  • • Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12
  • • Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • • Oracle Knowledge, versions 8.5.1.0 - 8.5.1.7, 8.6.0, 8.6.1
  • Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0
  • Oracle Outside In Technology, versions 8.5.3, 8.5.4
  • Oracle Real-Time Scheduler, version 2.3.0
  • Oracle Retail Convenience Store Back Office, version 3.6
  • Oracle Retail Customer Engagement, versions 16.0, 17.0
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
  • Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Merchandising System, versions 15.0, 16.0
  • Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0
  • Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1
  • Oracle Retail Workforce Management Software, version 1.60.9.0.0
  • Oracle Retail Xstore Point of Service, versions 7.0, 7.1
  • Oracle Secure Global Desktop, version 5.4
  • Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle Solaris, versions 10, 11
  • Oracle Traffic Director, version 11.1.1.9.0
  • Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3
  • Oracle Tuxedo, version 12.1.1.0.0
  • • Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.1.0, 18.1.0.0.0, 18.2.0.0.0
  • Oracle Utilities Mobile Workforce Management, version 2.3.0
  • Oracle Utilities Network Management System, version 1.12.0.3
  • Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6
  • Oracle WebCenter Portal, version 12.2.1.3.0
  • Oracle WebCenter Sites, version 12.2.1.3.0
  • • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
  • • OSS Support Tools, version 19.1
  • • PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2
  • • PeopleSoft Enterprise ELM, version 9.2
  • • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57
  • • PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57
  • • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 - 17.12, 18.8
  • • Primavera Unifier, versions 16.1, 16.2, 17.7 - 17.12, 18.8
  • • Siebel Applications, version 19.3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0

Pencil Blog post 18 Jul 2019
CONTROL: 4 --- ADVISORY CONTROL: 0