tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesOracle Quarterly Critical Patches Issued July 18, 2017

Oracle Quarterly Critical Patches Issued July 18, 2017

MS-ISAC ADVISORY NUMBER:

2017-065

DATE(S) ISSUED:

07/18/2017

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
  • Oracle REST Data Services, versions prior to 3.0.10.25.02.36
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
  • Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
  • Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0, 7.7.0.0
  • Oracle Enterprise Data Quality, version 8.1.13.0.0
  • Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2
  • Oracle OpenSSO, versions 3.0.0.7, 3.0.0.8
  • Oracle Outside In Technology, version 8.5.3.0
  • Oracle Secure Enterprise Search, version 11.2.2.2.0
  • Oracle Service Bus, versions 11.1.1.7.0, 11.1.1.9.0
  • Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0
  • Oracle Tuxedo, version 12.1.1
  • Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0
  • Oracle WebCenter Content, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.1, 12.2.1.2.1
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
  • Hyperion Essbase, version 12.2.1.1
  • Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0
  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.2
  • Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3
  • Oracle Business Transaction Management, versions 11.1.x, 12.1.x
  • Oracle Configuration Manager, versions prior to 12.1.2.0.4
  • Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
  • Oracle Agile PLM, versions 9.3.5, 9.3.6
  • Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2
  • PeopleSoft Enterprise FSCM, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55
  • PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0
  • Siebel Applications, versions 16.0, 17.0
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2
  • Oracle iLearning, version 6.2
  • Oracle Fusion Applications, versions 11.1.2 through 11.1.9
  • Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0
  • Oracle Communications Convergence, versions 3.0, 3.0.1
  • Oracle Communications EAGLE LNP Application Processor, version 10.0
  • Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0
  • Oracle Communications Policy Management, version 11.5
  • Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740
  • Oracle Enterprise Communications Broker, version PCZ210
  • Oracle Enterprise Session Border Controller, version ECZ7.3.0
  • Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2
  • Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1
  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
  • Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1
  • Hospitality Property Interfaces, version 8.10.x
  • Hospitality Suite8, version 8.10.x
  • Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x
  • MICROS BellaVita, version 2.7.x
  • MICROS PC Workstation 2015, versions Prior to O1302h
  • MICROS Workstation 650, versions Prior to E1500n
  • Oracle Hospitality 9700, version 4.0
  • Oracle Hospitality Cruise AffairWhere, version 2.2.05.062
  • Oracle Hospitality Cruise Dining Room Management, version 8.0.75
  • Oracle Hospitality Cruise Fleet Management, version 9.0
  • Oracle Hospitality Cruise Materials Management, version 7.30.562
  • Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0
  • Oracle Hospitality e7, version 4.2.1
  • Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0
  • Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0
  • Oracle Hospitality Materials Control, version 8.31.4
  • Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x
  • Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
  • Oracle Hospitality RES 3700, version 5.5
  • Oracle Hospitality Simphony, versions 2.8, 2.9
  • Oracle Hospitality Simphony First Edition, version 1.7.1
  • Oracle Hospitality Simphony First Edition Venue Management, version 3.9
  • Oracle Hospitality Suites Management, version 3.7
  • Oracle Payment Interface, version 6.1.1
  • Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1
  • Oracle Retail Customer Insights, versions 15.0, 16.0
  • Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
  • Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1
  • Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
  • Oracle Retail Xstore Point of Service, versions 15.0.0, 15.0.1
  • Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
  • Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
  • Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
  • Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
  • Java Advanced Management Console, version 2.6
  • Oracle Java SE, versions 6u151, 7u141, 8u131
  • Oracle Java SE Embedded, version 8u131
  • Oracle JRockit, version R28.3.14
  • Solaris, versions 10, 11
  • Solaris Cluster, version 4
  • • Solaris Cluster, version 4
  • Oracle VM VirtualBox, versions prior to 5.1.24
  • MySQL Cluster, versions 7.3.5 and prior
  • MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior
  • MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior
  • MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior
  • Oracle Explorer, versions prior to 8.16

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Control That Helps Avoid This Issue Arrow CIS Control 3: Secure Configurations for Hardware and Software CIS Benchmark and Other Tools for Related Technology Arrow Oracle Database

Information Hub: Advisories



Pencil Benchmark 17 Aug 2017

Pencil Blog post 14 Aug 2017

Pencil Blog post 11 Aug 2017