CIS Logo
tagline: Confidence in the Connected World

Oracle Quarterly Critical Patches Issued July 17, 2018

MS-ISAC ADVISORY NUMBER:

2018-081

DATE(S) ISSUED:

07/17/2018

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Agile Recipe Management for Pharmaceuticals, version 9.3.4
  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.x
  • Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.x
  • Enterprise Manager for MySQL Database, versions 13.2.2.0.0 and prior
  • Enterprise Manager for Oracle Database, versions 12.1.0.8, 13.2.2
  • Enterprise Manager for Peoplesoft, versions 13.1.1.1, 13.2.1.1
  • Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3
  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.3
  • FMW Platform, versions 12.2.1.2.0, 12.2.1.3.0
  • Hardware Management Pack, version 11.3
  • Hyperion Data Relationship Management, version 11.1.2.4.330
  • Hyperion Financial Reporting, version 11.1.2
  • JD Edwards EnterpriseOne Tools, version 9.2
  • JD Edwards World Security, versions A9.3, A9.3.1, A9.4
  • MICROS 700 Series Tablet, versions Prior to BIOS 0.00.13ORC, Prior to BIOS 0.01.25ORC
  • MICROS Handheld Terminal, versions 2018, Android 4.4.4 Security Patch Bulletin prior to February 1
  • MICROS Kitchen Display Controller, versions Prior to BIOS 0.00.16ORC
  • MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6
  • MICROS Relate CRM Software, versions 10.8.x, 11.4.x
  • MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x
  • MICROS Workstation 6, versions prior to BIOS 1.3.1.0, prior to BIOS 1.5.2.0, prior to BIOS 2.3.1.0
  • MICROS XBR, versions 7.0.2, 7.0.4
  • MySQL Client, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
  • MySQL Connectors, versions 5.3.10 and prior, 8.0.11 and prior
  • MySQL Enterprise Monitor, versions 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior
  • MySQL Server, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior
  • MySQL Workbench, versions 6.3.10 and prior, 8.0.11 and prior
  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
  • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
  • Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6
  • Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle Application Testing Suite, version 10.1
  • Oracle AutoVue VueLink Integration, versions 21.0.0, 21.0.1
  • Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0
  • Oracle Banking Payments, versions 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0
  • Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2
  • Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Communications Diameter Signaling Router (DSR), versions 7.x, 8.x
  • Oracle Communications EAGLE LNP Application Processor, version 10.x
  • Oracle Communications Interactive Session Recorder, versions 5.x, 6.x
  • Oracle Communications Messaging Server, version 3.x
  • Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
  • Oracle Communications Policy Management, version 12.x
  • Oracle Communications Session Border Controller, versions ECz7.x, ECz8.x
  • Oracle Communications User Data Repository, versions 10.x, 12.x
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
  • Oracle Endeca Information Discovery Studio, versions 3.1, 3.2
  • Oracle Enterprise Data Quality, version 12.2.1.3.0
  • Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3.x, 8.0.x
  • Oracle Financial Services Behavior Detection Platform, version 8.0.x
  • Oracle Financial Services Funds Transfer Pricing, versions 6.1.1, 8.0.x
  • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.4, 8.0.5
  • Oracle Financial Services Profitability Management, versions 6.1.1, 8.0.x
  • Oracle Financial Services Revenue Management and Billing, versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0, 14.1.0
  • Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0
  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
  • Oracle Fusion Middleware, versions 12.2.1.2, 12.2.1.3
  • Oracle Fusion Middleware MapViewer, versions 12.2.1.2, 12.2.1.3
  • Oracle Global Lifecycle Management OPatchAuto, version All
  • Oracle Hospitality Cruise Fleet Management System, version 9.x
  • Oracle Hospitality Cruise Shipboard Property Management System, version 8.x
  • Oracle Hospitality Gift and Loyalty, version 9.0.0
  • Oracle Hospitality OPERA 5 Property Services, version 5.5.x
  • Oracle Hospitality Reporting and Analytics, version 9.0.0
  • Oracle Hospitality Simphony, versions 2.8, 2.9, 2.10
  • Oracle iLearning, version 6.2
  • Oracle Insurance Policy Administration, versions 10.0, 10.1, 10.2, 11.0
  • Oracle Internet Directory, version 11.1.1.9.0
  • Oracle Java SE, versions 6u191, 7u181, 8u172, 10.0.1
  • Oracle Java SE Embedded, version 8u171
  • Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle JRockit, version R28.3.18
  • Oracle Outside In Technology, version 8.5.3
  • Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
  • Oracle Policy Automation Connector for Siebel, version 10.4.6
  • Oracle Policy Automation for Mobile Devices, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10
  • Oracle Retail Back Office, versions 14.0, 14.1
  • Oracle Retail Bulk Data Integration, version 16.0
  • Oracle Retail Central Office, versions 14.0, 14.1
  • Oracle Retail Clearance Optimization Engine, version 14.0.5
  • Oracle Retail Convenience and Fuel POS Software, version 2.1.132
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.x, 17.x
  • Oracle Retail Financial Integration, versions 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x
  • Oracle Retail Integration Bus, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 14.0.x, 14.1.x, 15.0, 15.0.x, 16.0, 16.0.x
  • Oracle Retail Order Broker, versions 5.2, 15.0, 16.0
  • Oracle Retail Point-of-Sale, versions 14.0, 14.1
  • Oracle Retail Point-of-Service, versions 14.0, 14.1
  • Oracle Retail Predictive Application Server, version 15.0.3
  • Oracle Retail Returns Management, versions 14.0, 14.1
  • Oracle Retail Service Backbone, versions 14.0.x, 14.1.x, 15.0.x, 16.0.x
  • Oracle Retail Service Layer, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x
  • Oracle Secure Global Desktop, versions 5.3, 5.4
  • Oracle SOA Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle SuperCluster Specific Software, versions prior to 2.5.0
  • Oracle Transportation Management, versions 6.2, 6.3.7, 6.4.1
  • Oracle Tuxedo, versions 12.1.1, 12.1.3, 12.2.2
  • Oracle Utilities Framework, version 4.3.x
  • Oracle Utilities Network Management System, versions 1.12.x, 2.3.x
  • Oracle Utilities Work and Asset Management, version 1.9.1.2.12
  • Oracle VM VirtualBox, versions prior to 5.2.16
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
  • OSS Support Tools, versions prior to 18.3
  • PeopleSoft Enterprise CS Financial Aid, versions 9.0, 9.2
  • PeopleSoft Enterprise FIN Install, version 9.2
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56
  • PeopleSoft HRMS, version 9.2
  • Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.x, 16.x, 17.x
  • Primavera Unifier, versions 16.x, 17.x, 18.x
  • Siebel Applications, version 18.0
  • Solaris, versions 10, 11.2, 11.3
  • Solaris Cluster, versions 3.3, 4.3
  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.20
  • Tape Library ACSLS, versions Prior to ACSLS 8.4.0-3

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation Arrow CIS Control 18: Application Software Security

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0

Pencil White paper 14 Mar 2019
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0