CIS Logo
tagline: Confidence in the Connected World

Oracle Quarterly Critical Patches Issued January 15, 2019

MS-ISAC ADVISORY NUMBER:

2019-006

DATE(S) ISSUED:

01/15/2019

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.2, 13.3
  • Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3, 13.3.1
  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.3
  • Hyperion BI+, version 11.1.2.4
  • Java Advanced Management Console, version 2.12
  • JD Edwards EnterpriseOne Tools, version 9.2
  • JD Edwards World Security, versions A9.3, A9.3.1, A9.4
  • MySQL Connectors, versions 2.1.8 and prior, 8.0.13 and prior
  • MySQL Enterprise Monitor, versions 4.0.7 and prior, 8.0.13 and prior
  • MySQL Server, versions 5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior
  • MySQL Workbench, versions 8.0.13 and prior
  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
  • Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle Application Testing Suite, versions 13.1.0.1, 13.2.0.1, 13.3.0.1
  • Oracle Argus Safety, versions 8.1, 8.2
  • Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2
  • Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
  • Oracle Communications Billing and Revenue Management, versions 7.5, 12.0
  • Oracle Communications Converged Application Server, versions prior to 7.0.0.1
  • Oracle Communications Converged Application Server - Service Controller, version 6.1
  • Oracle Communications Diameter Signaling Router (DSR), versions prior to 8.3
  • Oracle Communications Online Mediation Controller, version 6.1
  • Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1
  • Oracle Communications Policy Management, versions prior to 12.5
  • Oracle Communications Service Broker, version 6.0
  • Oracle Communications Services Gatekeeper, versions prior to 6.1.0.4.0
  • Oracle Communications Session Border Controller, versions prior to SCz7310p4, prior to SCz740m2p3, prior to SCz741m1p5, prior to SCz800p7, prior to SCz810m1p9
  • Oracle Communications Unified Inventory Management, versions prior to 7.4.0
  • Oracle Communications Unified Session Manager, versions prior to SCz740m2p3, prior to SCz741m1p5, prior to SCz810m1p9
  • Oracle Communications WebRTC Session Controller, versions prior to 7.2
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8
  • Oracle Endeca Server, version 7.7.0
  • Oracle Enterprise Communications Broker, versions prior to PCz220p1, prior to PCz300p2
  • Oracle Enterprise Repository, versions 12.1.3.0.0
  • Oracle Enterprise Session Border Controller, versions prior to ECz750p12, prior to ECz800p5
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7
  • Oracle FLEXCUBE Direct Banking, version 12.0.2
  • Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
  • Oracle GoldenGate Application Adapters, version 12.3.2.1.1
  • Oracle Health Sciences Information Manager, version 3.0
  • Oracle Healthcare Foundation, versions 7.1, 7.2
  • Oracle Healthcare Master Person Index, versions 3.0, 4.0
  • Oracle Hospitality Cruise Fleet Management, version 9.0.10
  • Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.8
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hospitality Simphony, version 2.10
  • Oracle HTTP Server, version 12.2.1.3
  • Oracle Insurance Calculation Engine, version 10.2
  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.2, 5.4, 5.5
  • Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2
  • Oracle Insurance Rules Palette, versions 10.0, 10.2
  • Oracle Java SE, versions 7u201, 8u192, 11.0.1
  • Oracle Java SE Embedded, version 8u191
  • Oracle Managed File Transfer, versions 12.2.1.3.0, 19.1.0.0.0
  • Oracle Outside In Technology, versions 8.5.3, 8.5.4.
  • Oracle Reports Developer, version 12.2.1.3
  • Oracle Retail Back Office, versions 13.3, 13.4, 14.0, 14.1
  • Oracle Retail Central Office, versions 13.3, 13.4, 14.0, 14.1
  • Oracle Retail Convenience and Fuel POS Software, version 2.8.1
  • Oracle Retail Customer Insights, versions 15.0, 16.0
  • Oracle Retail Integration Bus, version 17.0
  • Oracle Retail Merchandising System, version 14.1
  • Oracle Retail Returns Management, versions 13.3, 13.4, 14.0, 14.1
  • Oracle Retail Sales Audit, version 15.0
  • Oracle Retail Service Backbone, versions 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Workforce Management Software, versions 1.60.9, 1.64.0
  • Oracle Retail Xstore Payment, version 3.3
  • Oracle Secure Global Desktop (SGD), version 5.4
  • Oracle Service Architecture Leveraging Tuxedo, versions 12.1.3.0.0, 12.2.2.0.0
  • Oracle SOA Suite, versions 12.1.3.0.0, 12.2.1.3.0
  • Oracle Transportation Management, versions 6.3.7, 6.4.1, 6.4.2, 6.4.3
  • Oracle Utilities Framework, version 4.3.0.1-4.3.0.4
  • Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2
  • Oracle VM VirtualBox, versions prior to 5.2.24, prior to 6.0.2
  • Oracle Web Cache, version 11.1.1.9.0
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0
  • Oracle WebCenter Sites, version 11.1.1.8.0
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3
  • OSS Support Tools, versions prior to 19.1
  • PeopleSoft Enterprise CC Common Application Objects, version 9.2
  • PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2
  • PeopleSoft Enterprise HCM eProfile Manager Desktop, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8
  • Primavera Unifier, versions 16.1, 16.2, 17.1-17.12, 18.8
  • Siebel Applications, versions 18.10, 18.11, 18.12
  • Solaris, versions 10, 11
  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.8.1
  • Tape Library ACSLS, version 8.4

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security CIS Benchmarks and Other Tools for Related Technology Arrow Oracle Database Arrow Oracle MySQL Arrow Oracle Solaris

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0