Oracle Quarterly Critical Patches Issued January 17, 2023

MS-ISAC ADVISORY NUMBER:

2023-007

DATE(S) ISSUED:

01/17/2023

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Big Data Spatial and Graph, versions prior to 21.4.3, prior to 23.1.0
  • Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2411, prior to XCP3111, prior to XCP4011
  • GoldenGate Stream Analytics, versions prior to 19.1.0.0.8
  • GoldenGate Veridata, versions prior to 12.2.1.4.220831
  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.2
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.2
  • Management Cloud Engine, version 22.1.0.0.0
  • Management Pack for Oracle GoldenGate, versions prior to 12.2.1.2.221115
  • Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.1.0.0
  • MySQL Cluster, versions 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior, 8.0.31 and prior
  • MySQL Connectors, versions 8.0.31 and prior
  • MySQL Enterprise Monitor, versions 8.0.32 and prior
  • MySQL Server, versions 5.7.40 and prior, 8.0.31 and prior
  • MySQL Workbench, versions 8.0.31 and prior
  • Oracle Access Manager, version 12.2.1.4.0
  • Oracle Agile PLM, version 9.3.6
  • Oracle AutoVue, versions prior to 21.0.2.6
  • Oracle Banking Enterprise Default Management, versions 2.6.2, 2.7.0, 2.7.1, 2.12.0
  • Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0
  • Oracle Banking Party Management, version 2.7.0
  • Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0
  • Oracle BI Publisher, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0
  • Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Guided Search, version 11.3.2
  • Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications BRM - Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
  • Oracle Communications Calendar Server, version 8.0.0.6.0
  • Oracle Communications Cloud Native Core Automated Test Suite, versions 22.2.2, 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.0, 22.1.1, 22.2.0, 22.2.1, 22.2.2, 22.2.4, 22.3.0-22.4.0
  • Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Network Data Analytics Function, version 22.0.0.0.0
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.3.0
  • Oracle Communications Cloud Native Core Network Repository Function, versions 22.3.0, 22.3.2
  • Oracle Communications Cloud Native Core Network Slice Selection Function, versions 22.3.1, 22.4.1
  • Oracle Communications Cloud Native Core Policy, versions 1.11.0, 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 22.2.2, 22.2.3, 22.3.3, 22.3.4, 22.4.0
  • Oracle Communications Contacts Server, version 8.0.0.7.0
  • Oracle Communications Converged Application Server, versions 7.1.0, 8.0.0
  • Oracle Communications Convergence, version 3.0.3.1.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Diameter Intelligence Hub, version 8.2.3.0
  • Oracle Communications Diameter Signaling Router, version 8.6.0.0
  • Oracle Communications Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
  • Oracle Communications Instant Messaging Server, version 10.0.1.6.0
  • Oracle Communications Messaging Server, version 8.1.0.20.0
  • Oracle Communications MetaSolv Solution, version 6.3.1
  • Oracle Communications Order and Service Management, version 7.4.0
  • Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.4.1
  • Oracle Communications Pricing Design Center, versions 12.0.0.5.0-12.0.0.7.0
  • Oracle Communications Unified Assurance, versions 5.5.0-5.5.9, 6.0.0-6.0.1
  • Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0
  • Oracle Database Server, versions 19c, 21c, [Perl] prior to 5.35
  • Oracle Demantra Demand Management, versions 12.1, 12.2, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12
  • Oracle Documaker, versions 12.4.0-12.7.0
  • Oracle E-Business Suite, versions 12.2.3-12.2.12
  • Oracle Essbase, version 21.4
  • Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.1
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.11
  • Oracle GraalVM Enterprise Edition, versions 20.3.8, 21.3.4, 22.3.0 Java SE
  • Oracle Graph Server and Client, versions prior to 21.4.3, prior to 22.4.0, prior to 23.1.0
  • Oracle Healthcare Data Repository, versions 8.1.0.0-8.1.3.1
  • Oracle Healthcare Translational Research, versions 4.1.0.0-4.1.1.1
  • Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.2
  • Oracle Hospitality Gift and Loyalty, version 9.1.0 Oracle
  • Oracle Hospitality Labor Management, version 9.1.0 Oracle
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hospitality Simphony, versions 18.2.11, 19.3.4
  • Oracle HTTP Server, version 12.2.1.4.0
  • Oracle Hyperion Infrastructure Technology, version 11.2.10
  • Oracle Java SE, versions 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1
  • Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
  • Oracle Outside In Technology, version 8.5.6
  • Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3
  • Oracle SD-WAN Aware, versions 8.2.1.9.0, 9.0.1.4.0
  • Oracle Solaris, versions 10, 11
  • Oracle Spatial Studio, versions prior to 22.3.0
  • Oracle Stream Analytics, versions prior to 19.1.0.0.8
  • Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.65
  • Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
  • Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0-2.5.0.2
  • Oracle VM VirtualBox, versions prior to 6.1.42, prior to 7.0.6
  • Oracle Web Services Manager, version 12.2.1.4.0
  • Oracle WebCenter Content, version 12.2.1.4.0
  • Oracle WebCenter Sites, version 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • OSS Support Tools, versions 2.12.43, 22.2.22.4.5, 22.4.22.10.18
  • PeopleSoft Enterprise CC Common Application Objects, version 9.2
  • PeopleSoft Enterprise CS Academic Advisement, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
  • Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10, 21.12.0-21.12.8
  • Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12, 22.12
  • Siebel Applications, versions 22.10 and prior

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentHIGH
Businesses:
Large and medium business entitiesHIGH
Small business entitiesHIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    o Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    o Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    o Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    o Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories