×
Why CIS Solutions Join CIS Resources
CIS WorkBench Sign-in CIS WorkBench Sign In Support CIS Support


Why CIS

Who We Are

CIS is an independent, nonprofit organization with a mission to create confidence in the connected world



About Us Leadership Principles Testimonials

Solutions

Secure Your Organization


Secure Specific Platforms


U.S. State, Local, Tribal & Territorial Governments


View All Products & Services  

Join CIS

Get Involved

Join CIS as a member, partner, or volunteer - or explore our career opportunities



CIS SecureSuite® Membership Multi-State ISAC (MS-ISAC®) Elections Infrastructure ISAC (EI-ISAC®) CIS CyberMarket® Vendors CIS Communities Careers

Resources

Secure Your Organization


Learn


Filter by Topic


View All Resources  
CIS Logo Show Search Expand Menu

Oracle Quarterly Critical Patches Issued April 20, 2021

MS-ISAC ADVISORY NUMBER:

2021-053

DATE(S) ISSUED:

04/20/2021

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Oracle Application Express, versions prior to 20.2
  • Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c
  • Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.22
  • Oracle NoSQL Database, versions prior to 20.3
  • Oracle REST Data Services, versions prior to 20.4.3.50.1904
  • Oracle Spatial Studio, versions prior to 19.1.0, prior to 20.1.1
  • Oracle SQL Developer, versions prior to 20.4.1.407.6
  • Oracle Commerce Guided Search, versions 11.0, 11.1
  • Oracle Commerce Merchandising, versions 11.0, 11.0.11.1, 11.1
  • Oracle Communications Calendar Server, version 8.0
  • Oracle Communications Contacts Server, version 8.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Messaging Server, versions 8.0.2, 8.1, 8.1.0
  • Oracle Communications MetaSolv Solution, versions 6.3.0, 6.3.1
  • Oracle Communications Unified Inventory Management, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1
  • Oracle Communications Application Session Controller, version 3.9m0p3
  • Oracle Communications Converged Application Server - Service Controller, version 6.2
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
  • Oracle Communications Performance Intelligence Center Software, versions 10.4.0.2, 10.4.0.3
  • Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0
  • Oracle Communications Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Session Router, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Subscriber-Aware Load Balancer, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Unified Session Manager, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Enterprise Communications Broker, versions PCZ3.1, PCZ3.2, PCZ3.3
  • Oracle Enterprise Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle SD-WAN Aware, version 8.2
  • Oracle SD-WAN Edge, versions 8.2, 9.0
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • Primavera Gateway, versions 17.12.0-17.12.10
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
  • Enterprise Manager Base Platform, version 13.4.0.0
  • Enterprise Manager for Fusion Middleware, versions 12.2.1.4, 13.4.0.0
  • Enterprise Manager for Virtualization, version 13.4.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Oracle Banking Platform, versions 2.4.0, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle Hospitality Inventory Management, version 9.1.0
  • Oracle Hospitality RES 3700, versions 5.7.0-5.7.6
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Endeca Information Discovery Studio, version 3.2.0.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Fusion Middleware, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle Identity Manager Connector, version 11.1.1.5.0
  • Oracle Outside In Technology, version 8.5.5
  • Oracle Platform Security for Java, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Service Bus, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Health Sciences Empirica Signal, versions 9.0, 9.1
  • Oracle Health Sciences Information Manager, versions 3.0.0-3.0.2
  • Oracle Healthcare Foundation, versions 7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1
  • Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
  • Oracle Hospitality OPERA 5, versions 5.5, 5.6
  • Hyperion Analytic Provider Services, versions 11.1.2.4, 12.2.1.4
  • Hyperion Financial Management, version 11.1.2.4
  • Oracle iLearning, versions 6.2, 6.3
  • Oracle Insurance Data Gateway, version 1.0.2.3
  • Oracle GraalVM Enterprise Edition, versions 19.3.5, 20.3.1.2, 21.0.0.2
  • Oracle Java SE, versions 7u291, 8u281, 11.0.10, 16
  • Oracle Java SE Embedded, version 8u281
  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.4.0, prior to 9.2.5.3
  • JD Edwards World Security, version A9.4
  • MySQL Cluster, versions 8.0.23 and prior
  • MySQL Enterprise Monitor, versions 8.0.23 and prior
  • MySQL Server, versions 5.7.33 and prior, 8.0.23 and prior
  • MySQL Workbench, versions 8.0.23 and prior
  • PeopleSoft Enterprise CS Campus Community, version 9.2
  • PeopleSoft Enterprise FIN Common Application Objects, version 9.2
  • PeopleSoft Enterprise FIN Expenses, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Category Management Planning & Optimization, version 16.0.3
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0
  • Oracle Retail Insights Cloud Service Suite, version 19.0
  • Oracle Retail Item Planning, version 16.0.3
  • Oracle Retail Macro Space Optimization, version 16.0.3
  • Oracle Retail Merchandise Financial Planning, version 16.0.3
  • Oracle Retail Merchandising System, version 16.0.3
  • Oracle Retail Point-of-Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0
  • Oracle Retail Regular Price Optimization, version 16.0.3
  • Oracle Retail Replenishment Optimization, version 16.0.3
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Sales Audit, version 14.0
  • Oracle Retail Size Profile Optimization, version 16.0.3
  • Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5
  • Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2
  • Siebel Applications, versions 21.2 and prior
  • Oracle Cloud Infrastructure Storage Gateway, versions prior to 1.4
  • Oracle Storage Cloud Software Appliance, versions 16.3.1.4.1 and prior
  • Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, versions 3.5, 3.6
  • Agile Product Lifecycle Management Integration Pack for SAP: Design to Release, versions 3.5, 3.6
  • Oracle Advanced Supply Chain Planning, versions 12.1, 12.2
  • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
  • Oracle Rapid Planning, version 12.1.3
  • OSS Support Tools, versions prior to 2.12.41
  • Oracle Solaris, versions 10, 11
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
  • Oracle Secure Global Desktop, version 5.6
  • Oracle VM VirtualBox, versions prior to 6.1.20

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0