tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesOracle Quarterly Critical Patches Issued April 18, 2017

Oracle Quarterly Critical Patches Issued April 18, 2017

MS-ISAC ADVISORY NUMBER:

2017-038

DATE(S) ISSUED:

04/27/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

THREAT INTELLIGENCE:

There have been no reports of this vulnerability being exploited in the wild

SYSTEMS AFFECTED:

  • Oracle Database Server:version(s) 11.2.0.4|12.1.0.2X
  • Oracle Secure Backup: version(s) prior to 12.1.0.2.0 and prior to 12.1.0.3
  • Oracle Berkeley DB, version(s) prior to 6.2.32
  • Oracle API Gateway, version(s) 11.1.2.4.0
  • Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0, 12.2.1.1
  • Oracle Fusion Middleware MapViewer, version(s) 11.1.1.9, 12.2.1.1, 12.2.1.2
  • Oracle GlassFish Server, version(s) 3.1.2
  • Oracle Identity Manager, version(s) 11.1.2.3.0
  • Oracle Service Bus, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
  • Oracle Social Network, version(s) prior to 11.1.12.0.0 (17019101)
  • Oracle WebCenter Content, version(s) 11.1.1.7, 11.1.1.9, 12.2.1.0, 12.2.1.1, 12.2.1.2
  • Oracle WebCenter Sites, version(s) 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
  • Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2
  • Oracle Hyperion Essbase, version(s) 11.1.2.2
  • Enterprise Manager Base Platform, version(s) 12.1.0, 13.1.0, 13.2.0
  • Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
  • Oracle Transportation Manager, version(s) 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1, 6.4.2
  • PeopleSoft Enterprise CS Campus Community, version(s) 9.2
  • PeopleSoft Enterprise FIN Receivables, version(s) 9.2
  • Adobe Acrobat DCversions 15.023.20070and prior for Windows and Macintosh
  • PeopleSoft Enterprise FSCM, version(s) 9.1
  • PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
  • PeopleSoft Enterprise SCM eBill Payment, version(s) 9.2
  • PeopleSoft Enterprise SCM eSupplier Connection, version(s) 9.2
  • PeopleSoft Enterprise SCM Purchasing, version(s) 9.2
  • PeopleSoft Enterprise SCM Service Procurement, version(s) 9.2
  • PeopleSoft Enterprise SCM Strategic Sourcing, version(s) 9.2
  • JD Edwards EnterpriseOne Tools, version(s) 9.2
  • Siebel Applications, version(s) 6.1, 6.2, 7.0, 7.1
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 6.1.4, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
  • Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3
  • Oracle Communications Network Integrity, version(s) 7.2.4, 7.3.0
  • Oracle Communications Policy Management, version(s) 12.2
  • Oracle Communications Security Gateway, version(s) 3.0.0
  • Oracle Communications Service Broker Engineered System Edition, version(s) 6.0, 6.1
  • Oracle Communications Session Border Controller, version(s) SCZ7.3.0, SCZ7.4.0
  • Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.3, 7.3.4, 7.3.5
  • Oracle Financial Services Asset Liability Management, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Basel Regulatory Capital Basic, version(s) 6.1.2, 6.1.3, 8.0.2, 8.0.3Oracle Financial Services Basel Regulatory Capital Basic
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, version(s) 6.1.2, 6.1.3, 8.0.2, 8.0.3
  • Oracle Financial Services Data Foundation, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Data Integration Hub, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Enterprise Financial Performance Analytics, version(s) 8.0.0 to 8.0.4
  • Oracle Financial Services Funds Transfer Pricing, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Hedge Management and IFRS Valuations, version(s) 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Institutional Performance Analytics, version(s) 8.0.0 to 8.0.4
  • Oracle Financial Services Liquidity Risk Management, version(s) 8.0.1, 8.0.2, 8.0.4
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, version(s) 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Pricing Management/Transfer Pricing Component, version(s) 8.0.0 to 8.0.4
  • Oracle Financial Services Profitability Management, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Oracle Financial Services Reconciliation Framework, version(s) 8.0.0, 8.0.1, 8.0.2
  • Oracle Financial Services Retail Customer Analytics, version(s) 8.0.0 to 8.0.3
  • Oracle Financial Services Retail Performance Analytics, version(s) 8.0.0 to 8.0.4
  • Oracle FLEXCUBE Direct Banking, version(s) 12.0.2, 12.0.3
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.0.1, 12.1.0
  • Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.1.0, 12.2.0, 12.3.0
  • Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
  • Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
  • Oracle Insurance Data Foundation, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
  • Acrobat Reader DC: versions 15.020.20042 and prior for Windows and Macintosh
  • Oracle Healthcare Master Person Index, version(s) 3.0.0.x and 4.0.1.x, prior to and 2.0.1.x
  • Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x, 5.5.1.x
  • Oracle Insurance Istream, version(s) 4.3.2 and prior
  • MICROS Lucas, version(s) 2.9.5.1, 2.9.5.2, 2.9.5.3, 2.9.5.4, 2.9.5.5
  • MICROS Relate CRM Software, version(s) 10.0, 10.5, 10.8, 11.0, 11.1, 11.4, 15.0
  • MICROS XBR, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1
  • MICROS Xstore Payment, version(s) 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, 16.0
  • Oracle Retail Advanced Inventory Planning, version(s) 14.1, 15.0
  • Oracle Retail Advanced Science Engine, version(s) 14.1
  • Oracle Retail Analytic Parameter Calculator - RO, version(s) 15.0
  • Oracle Retail Analytics, version(s) 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Assortment Planning, version(s) 14.1.3, 15.0.1, 16.0.0
  • Oracle Retail Back Office, version(s) 14.1
  • Oracle Retail Category Management, version(s) 13.2, 13.3, 14.0, 14.1
  • Oracle Retail Category Management Planning & Optimization, version(s) 15.0
  • Oracle Retail Customer Insights, version(s) 15.0
  • Oracle Retail Customer Management and Segmentation Foundation, version(s) 15.0
  • Oracle Retail Demand Forecasting, version(s) 14.1.3, 15.0.2
  • Oracle Retail Invoice Matching, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
  • Oracle Retail Item Planning, version(s) 14.1.3, 15.0.2
  • Oracle Retail Macro Space Optimization, version(s) 15.0.2
  • Oracle Retail Merchandise Financial Planning, version(s) 14.1.3, 15.0.2
  • Oracle Retail Merchandising Insights, version(s) 15.0
  • Oracle Retail Open Commerce Platform, version(s) 4.0, 5.0, 5.1, 5.3, 6.0, 6.1, 15.0, 16.0
  • Oracle Retail Order Broker, version(s) 5.1, 5.2, 15.0, 16.0
  • Oracle Retail Point-of-Service, version(s) 14.1.3
  • Oracle Retail Predictive Application Server, version(s) 13.1, 13.2, 13.3, 13.3.3, 13.4, 13.4.3, 14.0, 14.0.3, 14.1, 14.1.3, 15.0, 15.0.2, 16.0.0
  • ·PHP 7.1 prior to 7.1.2
  • Oracle Retail Regular Price Optimization, version(s) 14.1.3, 15.0.2
  • Oracle Retail Replenishment Optimization, version(s) 14.1.3, 15.0.2
  • Oracle Retail Returns Management, version(s) 14.1
  • Oracle Retail Size Profile Optimization, version(s) 14.1.3, 15.0.2
  • Oracle Retail Store Inventory, version(s) 14.1, 15.0, 16.0
  • Oracle Retail Warehouse Management System, version(s) 13.2, 14.0, 15.0
  • Oracle Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • Oracle Retail Xstore Point of Service, version(s) 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, 16.0
  • Oracle Real-Time Scheduler, version(s) 2.2.0.3.13, 2.3.0.0, 2.3.0.1
  • Oracle Utilities Customer Self Service, version(s) 2.1.0.2.0
  • Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0, 4.3.0.3.0
  • Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.11
  • Primavera Gateway, version(s) 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
  • Primavera P6 Enterprise Project Portfolio Management, version(s) 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
  • Primavera Unifier, version(s) 9.13, 9.14, 10.0, 10.1, 15.1, 15.2
  • Oracle Java SE, version(s) 6u141, 7u131, 8u121
  • Oracle Java SE Embedded, version(s) 8u121
  • Oracle JRockit, version(s) R28.3.13Â
  • Oracle SuperCluster Specific Software, version(s) 2.3.8, 2.3.13
  • Solaris, version(s) 10, 11.3
  • Solaris Cluster, version(s) 4.3
  • StorageTek Tape Analytics SW Tool, version(s) prior to 2.2.1
  • Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
  • Oracle VM VirtualBox, version(s) prior to 5.0.38, prior to 5.1.20
  • Secure Global Desktop, version(s) 4.71, 5.2, 5.3
  • MySQL Cluster, version(s) 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
  • MySQL Connectors, version(s) 2.1.5 and prior, 5.1.41 and prior
  • MySQL Enterprise Backup, version(s) 3.12.3 and prior, 4.0.3 and prior
  • MySQL Enterprise Monitor, version(s) 3.1.6.8003 and prior, 3.2.1182 and prior, 3.3.2.1162 and prior
  • MySQL Server, version(s) 5.5.54 and prior, 5.6.35 and prior, 5.7.17 and prior, 5.7.11 to 5.7.17
  • MySQL Workbench, version(s) 6.3.8 and prior
  • Automatic Service Request (ASR), version(s) prior to 5.7
  • Oracle Advanced Support Gateway, version(s) prior to 7.2
  • Oracle Trace File Analyzer (TFA), version(s) prior to 12.1.2.8.4
  • OSS Support Tools, version(s) prior to RDA 8.15.17.3.14

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMENDATIONS:

We recommend the following actions be taken:

· Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
· Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
· Remind users not to visit websites or follow links provided by unknown or untrusted sources.
· Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
· Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories