CIS Logo
tagline: Confidence in the Connected World

Oracle Quarterly Critical Patches Issued April 16, 2019

MS-ISAC ADVISORY NUMBER:

2019-044

DATE(S) ISSUED:

04/16/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • • Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4
  • • Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
  • • Enterprise Manager Ops Center, version 12.3.3
  • • FMW Platform, version 12.2.1.3.0
  • • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • • JD Edwards EnterpriseOne Tools, version 9.2
  • • JD Edwards World Technical Foundation, versions A9.2, A9.3.1, A9.4
  • • MICROS Lucas, versions 2.9.5.6, 2.9.5.7
  • • MICROS Relate CRM Software, version 11.4
  • • MICROS Retail-J, version 12.1.2
  • • MySQL Connectors, versions 5.3.12 and prior, 8.0.15 and prior
  • • MySQL Enterprise Backup, versions 3.12.3 and prior, 4.1.2 and prior
  • • MySQL Enterprise Monitor, versions 4.0.8 and prior, 8.0.14 and prior
  • • MySQL Server, versions 5.6.43 and prior, 5.7.25 and prior, 8.0.15 and prior
  • • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5
  • • Oracle API Gateway, version 11.1.2.4.0
  • • Oracle Application Testing Suite, version 13.3.0.1
  • • Oracle AutoVue 3D Professional Advanced, versions 21.0.0, 21.0.1
  • • Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0
  • • Oracle Berkeley DB, versions prior to 6.138, prior to 18.1.32
  • • Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • • Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • • Oracle Business Transaction Management, version 12.1.0
  • • Oracle Commerce Merchandising, version 11.2.0.3
  • • Oracle Commerce Platform, versions 11.2.0.3, 11.3.1
  • • Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0
  • • Oracle Communications EAGLE Application Processor, versions 16.1.0, 16.2.0
  • • Oracle Communications EAGLE LNP Application Processor, versions 10.0, 10.1, 10.2
  • • Oracle Communications Instant Messaging Server, version 10.0.1
  • • Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2
  • • Oracle Communications LSMS, versions 13.1, 13.2, 13.3
  • • Oracle Communications Messaging Server, versions 8.0, 8.1
  • • Oracle Communications Operations Monitor, versions 3.4, 4.0
  • • Oracle Communications Policy Management, versions 12.1, 12.2, 12.3, 12.4
  • • Oracle Communications Pricing Design Center, versions 11.1, 12.0
  • • Oracle Communications Service Broker Engineered System Edition, version 6.0
  • • Oracle Communications Service Broker, version 6.0
  • • Oracle Communications Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
  • • Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0
  • • Oracle Configuration Manager, version 12.1.0
  • • Oracle Configurator, versions 12.1, 12.2
  • • Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
  • • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
  • • Oracle E-Business Suite, versions 0.9.8, 1.0.0, 1.0.1, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
  • • Oracle Endeca Information Discovery Integrator, version 3.2.0
  • • Oracle Enterprise Communications Broker, versions 3.0.0, 3.1.0
  • • Oracle Enterprise Operations Monitor, versions 3.4, 4.0
  • • Oracle Enterprise Session Border Controller, versions 8.0.0, 8.1.0, 8.2.0
  • • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 - 7.3.5, 8.0.0 - 8.0.7
  • • Oracle Financial Services Asset Liability Management, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Data Integration Hub, versions 8.0.5 - 8.0.7
  • • Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 - 8.0.7
  • • Oracle Financial Services Liquidity Risk Management, versions 8.0.2 - 8.0.6
  • • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 - 8.0.7
  • • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6
  • • Oracle Financial Services Profitability Management, versions 8.0.4 - 8.0.6
  • • Oracle Financial Services Reconciliation Framework, versions 8.0.5, 8.0.6
  • • Oracle FLEXCUBE Private Banking, versions 2.0.0.0, 2.2.0.1, 12.0.1.0, 12.0.3.0, 12.1.0.0
  • • Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
  • • Oracle Health Sciences Data Management Workbench, version 2.4.8
  • • Oracle Healthcare Master Person Index, versions 3.0, 4.0
  • • Oracle Hospitality Cruise Dining Room Management, version 8.0.80
  • • Oracle Hospitality Cruise Fleet Management, version 9.0.11
  • • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • • Oracle HTTP Server, version 12.2.1.3.0
  • • Oracle Identity Analytics, version 11.1.1.5.8
  • • Oracle Java SE Embedded, version 8u201
  • • Oracle Java SE, versions 7u211, 8u202, 11.0.2, 12
  • • Oracle JDeveloper, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • • Oracle Knowledge, versions 8.5.1.0 - 8.5.1.7, 8.6.0, 8.6.1
  • Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.3.0
  • Oracle Outside In Technology, versions 8.5.3, 8.5.4
  • Oracle Real-Time Scheduler, version 2.3.0
  • Oracle Retail Convenience Store Back Office, version 3.6
  • Oracle Retail Customer Engagement, versions 16.0, 17.0
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
  • Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Merchandising System, versions 15.0, 16.0
  • Oracle Retail Order Broker, versions 5.1, 5.2, 15.0, 16.0
  • Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1
  • Oracle Retail Workforce Management Software, version 1.60.9.0.0
  • Oracle Retail Xstore Point of Service, versions 7.0, 7.1
  • Oracle Secure Global Desktop, version 5.4
  • Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle SOA Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle Solaris, versions 10, 11
  • Oracle Traffic Director, version 11.1.1.9.0
  • Oracle Transportation Management, versions 6.3.7, 6.4.2, 6.4.3
  • Oracle Tuxedo, version 12.1.1.0.0
  • • Oracle Utilities Framework, versions 2.2.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.2.0, 4.3.0.3.0, 4.3.0.4.0, 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.1.0, 18.1.0.0.0, 18.2.0.0.0
  • Oracle Utilities Mobile Workforce Management, version 2.3.0
  • Oracle Utilities Network Management System, version 1.12.0.3
  • Oracle VM VirtualBox, versions prior to 5.2.28, prior to 6.0.6
  • Oracle WebCenter Portal, version 12.2.1.3.0
  • Oracle WebCenter Sites, version 12.2.1.3.0
  • • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
  • • OSS Support Tools, version 19.1
  • • PeopleSoft Enterprise ELM Enterprise Learning Management, version 9.2
  • • PeopleSoft Enterprise ELM, version 9.2
  • • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57
  • • PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57
  • • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7 - 17.12, 18.8
  • • Primavera Unifier, versions 16.1, 16.2, 17.7 - 17.12, 18.8
  • • Siebel Applications, version 19.3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation CIS Benchmarks and Other Tools for Related Technology Arrow Oracle Database Arrow Oracle MySQL

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil Blog post 20 May 2019
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0