CIS Logo
tagline: Confidence in the Connected World
HomeResourcesAdvisoriesOracle Quarterly Critical Patches Issued January 16, 2018

Oracle Quarterly Critical Patches Issued January 16, 2018

MS-ISAC ADVISORY NUMBER:

2018-005

DATE(S) ISSUED:

01/17/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Agile Material and Equipment Management for Pharmaceuticals, versions 9.3.3, 9.3.4
  • Application Express, versions prior to 5.1.4.00.08
  • Converged Commerce, version 16.0.1
  • Hyperion BI+, version 11.1.2.4
  • Hyperion Data Relationship Management, version 11.1.2.4.330
  • Integrated Lights Out Manager (ILOM), versions 3.x, 4.x
  • Java Advanced Management Console, version 2.8
  • Java ME SDK, version 8.3
  • JD Edwards EnterpriseOne Tools, version 9.2
  • MICROS Handheld Terminal, versions Prior to BSP 02.13.0701 (070116)
  • MICROS Relate CRM Software, versions 10.8.x, 11.4.x, 15.0.x
  • MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • MySQL Connectors, versions 5.3.9 and prior, 6.9.9 and prior, 6.10.4 and prior
  • MySQL Enterprise Monitor, versions 3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior
  • MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
  • Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0
  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
  • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
  • Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6
  • Oracle Argus Safety, versions 7.x, 8.0.x, 8.1
  • Oracle Autovue for Agile Product Lifecycle Management, versions 21.0.0, 21.0.1
  • Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0
  • Oracle Banking Payments, versions 12.3.0, 12.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Communications Application Session Controller, version 3.x
  • Oracle Communications BRM - Elastic Charging Engine, version 7.5
  • Oracle Communications Convergent Charging Controller, version 6.0
  • Oracle Communications Network Charging and Control, version 6.0
  • Oracle Communications Order and Service Management, versions 7.2.4.1.x, 7.2.4.2.x, 7.3.0.1.x, 7.3.0.x.x
  • Oracle Communications Services Gatekeeper, versions 5.1, 6.0
  • Oracle Communications Unified Inventory Management, versions 7.2.4.2.x, 7.3
  • Oracle Communications User Data Repository, versions 10.x, 12.x
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
  • Oracle Directory Server Enterprise Edition, version 11.1.1.7.0
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
  • Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.5.x, 8.0.x
  • Oracle Financial Services Analytical Applications Reconciliation Framework, version 8.0.x
  • Oracle Financial Services Asset Liability Management, versions 6.1.x, 8.0.x
  • Oracle Financial Services Balance Sheet Planning, version 8.0.x
  • Oracle Financial Services Funds Transfer Pricing, versions 6.1.x, 8.0.x
  • Oracle Financial Services Hedge Management and IFRS Valuations, version 8.0.x
  • Oracle Financial Services Liquidity Risk Management, version 8.0.x
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, version 8.0.x
  • Oracle Financial Services Market Risk, version 8.0.x
  • Oracle Financial Services Market Risk Measurement and Management, version 8.0.5
  • Oracle Financial Services Price Creation and Discovery, version 8.0.5
  • Oracle Financial Services Profitability Management, versions 6.1.x, 8.0.x
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
  • Oracle Fusion Applications, versions 11.1.2 through 11.1.9
  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
  • Oracle Health Sciences Empirica Inspections, version 1.0.1.1
  • Oracle Health Sciences Empirica Signal, version 8.0.1.0
  • Oracle Hospitality Cruise Dining Room Management, version 8.0.78
  • Oracle Hospitality Cruise Fleet Management, version 9.0.4.0
  • Oracle Hospitality Cruise Shipboard Property Management System, version 7.3.874
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Labor Management, versions 8.5.1, 9.0.0
  • Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9
  • Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Hyperion Planning, version 11.1.2.4.007
  • Oracle Identity Manager, version 11.1.2.3.0
  • Oracle Internet Directory, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0
  • Oracle iPlanet Web Server, version 7.0
  • Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1
  • Oracle Java SE Embedded, version 8u151
  • Oracle JDeveloper, versions 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0
  • Oracle JRockit, version R28.3.16
  • Oracle Mobile Security Suite, version 3.0.1
  • Oracle Retail Assortment Planning, versions 14.1.3, 15.0.3, 16.0.1
  • Oracle Retail Convenience and Fuel POS Software, version 2.1.132
  • Oracle Retail Customer Management and Segmentation Foundation, versions 10.8.x, 11.4.x, 15.0.x, 16.0.x
  • Oracle Retail Fiscal Management, version 14.1
  • Oracle Retail Merchandising System, version 16.0
  • Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
  • Oracle Secure Global Desktop (SGD), version 5.3
  • Oracle Transportation Management, versions 6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3
  • Oracle Tuxedo System and Applications Monitor, version 12.1.3.0.0
  • Oracle VM VirtualBox, versions prior to 5.1.32, prior to 5.2.6
  • Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Sites, version 11.1.1.8.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle X86 Servers, versions SW 1.x, SW 2.x
  • OSS Support Tools, versions prior to 2.11.33
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina, version 9.1
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil, version 9.1
  • PeopleSoft Enterprise FSCM, version 9.2
  • PeopleSoft Enterprise HCM Human Resources, versions 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
  • PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00
  • PeopleSoft Enterprise SCM eProcurement, versions 9.1, 9.2
  • PeopleSoft Enterprise SCM Purchasing, version 9.2
  • Primavera Unifier, versions 10.x, 15.x, 16.x, 17.x
  • Siebel Applications, versions 16.0, 17.0
  • Solaris, versions 10, 11.3
  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.13

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security