CIS Logo
tagline: Confidence in the Connected World

Oracle Quarterly Critical Patches Issued July 14, 2020

MS-ISAC ADVISORY NUMBER:

2020-096

DATE(S) ISSUED:

07/14/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Category Management Planning & Optimization, version 15.0.3
  • Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0
  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.3.0.0, 13.4.0.0
  • Enterprise Manager for Fusion Middleware, version 12.1.0.5
  • Enterprise Manager Ops Center, version 12.4.0.0
  • GoldenGate Stream Analytics, versions prior to 19.1.0.0.1
  • Hyperion Financial Close Management, version 11.1.2.4
  • Instantis EnterpriseTrack, versions 17.1-17.3
  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.4.2
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.3.3, prior to 9.2.4.2
  • MySQL Client, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
  • MySQL Cluster, versions 7.3.29 and prior, 7.4.28 and prior, 7.5.18 and prior, 7.6.14 and prior, 8.0.20 and prior
  • MySQL Connectors, versions 8.0.20 and prior
  • MySQL Enterprise Monitor, versions 4.0.12 and prior, 8.0.20 and prior
  • MySQL Server, versions 5.6.48 and prior, 5.7.30 and prior, 8.0.20 and prior
  • Oracle Agile Engineering Data Management, version 6.2.1.0
  • Oracle Application Express, versions 5.1-19.2
  • Oracle Application Testing Suite, versions 13.2.0.1, 13.3.0.1
  • Oracle AutoVue, version 21.0
  • Oracle Banking Enterprise Collections, versions 2.7.0-2.9.0
  • Oracle Banking Payments, versions 14.1.0-14.4.0
  • Oracle Banking Platform, versions 2.4.0-2.10.0
  • Oracle Berkeley DB, versions prior to 6.1.38, prior to 18.1.40
  • Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 11.0, 11.1, 11.2, prior to 11.3.1
  • Oracle Commerce Platform, versions 11.1, 11.2, prior to 11.3.1
  • Oracle Commerce Service Center, versions 11.1, 11.2, prior to 11.3.1
  • Oracle Communications Analytics, version 12.1.1
  • Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0
  • Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0
  • Oracle Communications Contacts Server, version 8.0.0.4.0
  • Oracle Communications Convergence, versions 3.0.1.0-3.0.2.1
  • Oracle Communications Diameter Signaling Router (DSR), versions 8.0-8.4
  • Oracle Communications Element Manager, versions 8.1.1, 8.2.0, 8.2.1
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Instant Messaging Server, version 10.0.1.4.0
  • Oracle Communications Interactive Session Recorder, versions 6.1-6.4
  • Oracle Communications IP Service Activator, versions 7.3.0, 7.4.0
  • Oracle Communications LSMS, versions 13.0-13.3
  • Oracle Communications Messaging Server, versions 8.0.2, 8.1.0
  • Oracle Communications MetaSolv Solution, version 6.3.0
  • Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.0-12.0.3
  • Oracle Communications Network Integrity, versions 7.3.2-7.3.6
  • Oracle Communications Operations Monitor, versions 3.4, 4.1-4.3
  • Oracle Communications Order and Service Management, versions 7.3, 7.4
  • Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0
  • Oracle Communications Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0
  • Oracle Communications Session Report Manager, versions 8.1.1, 8.2.0, 8.2.1
  • Oracle Communications Session Route Manager, versions 8.1.1, 8.2.0, 8.2.1
  • Oracle Configuration Manager, version 12.1.2.0.6
  • Oracle Configurator, versions 12.1, 12.2
  • Oracle Data Masking and Subsetting, versions 13.3.0.0, 13.4.0.0
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Spatial Studio] prior to 19.2.1
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
  • Oracle Endeca Information Discovery Studio, version 3.2.0
  • Oracle Enterprise Communications Broker, versions 3.0.0-3.2.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Enterprise Session Border Controller, versions 8.1.0, 8.2.0, 8.3.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
  • Oracle Financial Services Compliance Regulatory Reporting, versions 8.0.6-8.0.8
  • Oracle Financial Services Lending and Leasing, versions 12.5.0, 14.1.0-14.8.0
  • Oracle Financial Services Liquidity Risk Management, version 8.0.6
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8
  • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8
  • Oracle Financial Services Regulatory Reporting for De Nederlandsche Bank, version 8.0.4
  • Oracle FLEXCUBE Investor Servicing, versions 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle Fusion Middleware MapViewer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Global Lifecycle Management/OPatch, versions prior to 12.2.0.1.20
  • Oracle GoldenGate, versions prior to 19.1.0.0.0
  • Oracle GraalVM Enterprise Edition, versions 19.3.2, 20.1.0
  • Oracle Health Sciences Empirica Inspections, version 1.0.1.2
  • Oracle Health Sciences Empirica Signal, version 7.3.3
  • Oracle Healthcare Master Person Index, version 4.0.2
  • Oracle Healthcare Translational Research, versions 3.2.1, 3.3.1, 3.3.2, 3.4.0
  • Oracle Help Technologies, versions 11.1.1.9.0, 12.2.1.3.0
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hyperion BI+, version 11.1.2.4
  • Oracle iLearning, versions 6.1, 6.1.1
  • Oracle Insurance Accounting Analyzer, versions 8.0.6-8.0.9
  • Oracle Insurance Data Gateway, version 1.0
  • Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
  • Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0, 11.2.0
  • Oracle Java SE, versions 7u261, 8u251, 11.0.7, 14.0.1
  • Oracle Java SE Embedded, version 8u251
  • Oracle Outside In Technology, versions 8.5.4, 8.5.5
  • Oracle Rapid Planning, versions 12.1, 12.2
  • Oracle Real User Experience Insight, version 13.3.1.0
  • Oracle Retail Assortment Planning, versions 15.0, 15.0.3, 16.0, 16.0.3
  • Oracle Retail Bulk Data Integration, versions 15.0, 16.0
  • Oracle Retail Customer Management and Segmentation Foundation, version 18.0
  • Oracle Retail Data Extractor for Merchandising, versions 1.9, 1.10, 18.0
  • Oracle Retail Extract Transform and Load, version 19.0
  • Oracle Retail Financial Integration, versions 15.0, 16.0
  • Oracle Retail Fusion Platform, version 5.5
  • Oracle Retail Integration Bus, versions 15.0, 15.0.3, 16.0, 16.0.3
  • Oracle Retail Invoice Matching, version 16.0
  • Oracle Retail Item Planning, version 15.0.3
  • Oracle Retail Macro Space Optimization, version 15.0.3
  • Oracle Retail Merchandise Financial Planning, version 15.0.3
  • Oracle Retail Merchandising System, versions 15.0.3, 16.0.2, 16.0.3
  • Oracle Retail Order Broker, version 15.0
  • Oracle Retail Predictive Application Server, versions 14.0.3, 14.1.3, 15.0.3, 16.0.3
  • Oracle Retail Regular Price Optimization, versions 15.0.3, 16.0.3
  • Oracle Retail Replenishment Optimization, version 15.0.3
  • Oracle Retail Sales Audit, version 14.1
  • Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
  • Oracle Retail Size Profile Optimization, version 15.0.3
  • Oracle Retail Store Inventory Management, versions 14.0.4, 14.1.3, 15.0.3, 16.0.3
  • Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 18.0, 19.0
  • Oracle SD-WAN Aware, version 8.2
  • Oracle SD-WAN Edge, versions 8.2, 9.0
  • Oracle Security Service, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Solaris, version 11
  • Oracle TimesTen In-Memory Database, versions prior to 18.1.2.1.0
  • Oracle Transportation Management, versions 6.3.7, 6.4.3
  • Oracle Unified Directory, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
  • Oracle VM VirtualBox, versions prior to 5.2.44, prior to 6.0.24, prior to 6.1.12
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • PeopleSoft Enterprise FIN Expenses, version 9.2
  • PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2
  • PeopleSoft Enterprise HRMS, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.7, 18.8.0-18.8.9, 19.12.0-19.12.4
  • Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0.0-16.2.20.1, 17.1.0.0-17.12.17.1, 18.1.0.0-18.8.19, 19.12.0-19.12.6
  • Primavera Portfolio Management, versions 16.1.0.0-16.1.5.1, 18.0.0.0-18.0.2.0, 19.0.0.0
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, [Mobile App] prior to 20.6
  • Siebel Applications, versions 2.20.5 and prior, 20.6 and prior

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0

Pencil Blog post 06 Aug 2020
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0