Oracle Quarterly Critical Patches Issued October 19, 2022

MS-ISAC ADVISORY NUMBER:

2022-124

DATE(S) ISSUED:

10/19/2022

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Application Management Pack for Oracle E-Business Suite, version 13.4.1.0.0
  • Big Data Spatial and Graph, versions prior to 23.1
  • Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager for Virtualization, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.4 and prior
  • JD Edwards EnterpriseOne Tools, versions 9.2.6.4 and prior
  • MySQL Connectors, versions 8.0.30 and prior
  • MySQL Enterprise Backup, versions 4.1.4 and prior
  • MySQL Enterprise Monitor, versions 8.0.31 and prior
  • MySQL Installer, versions 1.6.3 and prior
  • MySQL Server, versions 5.7.39 and prior, 8.0.30 and prior
  • MySQL Shell, versions 8.0.30 and prior
  • MySQL Workbench, versions 8.0.30 and prior
  • Oracle Access Manager, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Agile Engineering Data Management, version 6.2.1.0
  • Oracle Agile PLM, version 9.3.6
  • Oracle Airlines Data Model
  • Oracle Application Express
  • Oracle AutoVue, version 21.0.2
  • Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
  • Oracle Banking Enterprise Default Management, version 2.12.0
  • Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0
  • Oracle Banking Party Management, version 2.7.0
  • Oracle Banking Platform, versions 2.7.1, 2.9.0, 2.12.0
  • Oracle BI Publisher, versions 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Activity Monitoring(Oracle BAM), versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0, 6.4.0.0
  • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Platform, versions 11.3.0-11.3.2
  • Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications Cloud Native Core Binding Support Function, version 22.3.0
  • Oracle Communications Cloud Native Core Console, version 22.2.0
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 22.2.1, 22.3.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.9.0, 22.1, 22.1.0, 22.2, 22.2.0, 22.2.1
  • Oracle Communications Cloud Native Core Network Repository Function, version 22.2.2
  • Oracle Communications Cloud Native Core Policy, version 22.3.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.1.1, 22.2.0, 22.2.1, 22.3.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.2.3, 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 22.1.1, 22.2.1, 22.3.0
  • Oracle Communications Converged Application Server - Service Controller, version 6.2
  • Oracle Communications Convergence, version 3.0.3.0
  • Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
  • Oracle Communications Data Model, version 12.2.0.1
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Diameter Signaling Router, version 8.6.0.0
  • Oracle Communications Element Manager, version 9.0
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Instant Messaging Server, version 10.0.1.6.0
  • Oracle Communications Interactive Session Recorder, version 6.4
  • Oracle Communications Messaging Server, version 8.1
  • Oracle Communications MetaSolv Solution, version 6.3.1
  • Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
  • Oracle Communications Order and Service Management, versions 7.3, 7.4
  • Oracle Communications Policy Management, version 12.6.0.0.0
  • Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.7.0
  • Oracle Communications Services Gatekeeper, version 7.0.0.0.0
  • Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1
  • Oracle Communications Session Report Manager, version 9.0
  • Oracle Communications Unified Assurance, versions prior to 5.5.7.0.0, 6.0.0.0.0
  • Oracle Communications User Data Repository, versions 12.4.0, 12.6.0, 12.6.1
  • Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
  • Oracle Data Integrator, version 12.2.1.4.0
  • Oracle Database Server, versions 19c, 21c
  • Oracle Documaker Enterprise Edition, versions 12.6-12.7
  • Oracle E-Business Suite, versions 12.2.3-12.2.11
  • Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Enterprise Operations Monitor, versions 4.4, 5.0
  • Oracle Essbase, version 21.3
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
  • Oracle Financial Services Behavior Detection Platform, versions 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
  • Oracle Financial Services Enterprise Case Management, versions 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
  • Oracle Financial Services Model Management and Governance, versions 8.0.8.0, 8.1.0.0, 8.1.1.0
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0
  • Oracle GoldenGate, version 19c
  • Oracle GraalVM Enterprise Edition, versions 20.3.7, 21.3.3, 22.2.0
  • Oracle Healthcare Data Repository, versions 8.1.1, 8.1.2, 8.1.3
  • Oracle Healthcare Foundation, versions 8.1, 8.2
  • Oracle Healthcare Master Person Index, versions 5.0.0-5.0.3
  • Oracle Healthcare Translational Research, version 4.1
  • Oracle Hospitality Cruise Fleet Management System, version 9.1.5
  • Oracle Hospitality Cruise Shipboard Property Management System, versions 20.2.0, 20.2.2
  • Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
  • Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Hyperion Infrastructure Technology, version 11.2.9
  • Oracle Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.2
  • Oracle Java SE, versions 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19
  • Oracle MapViewer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle NoSQL Database
  • Oracle Outside In Technology, version 8.5.6
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail Customer Insights, versions 15.0.2, 15.2, 16.0.2
  • Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0
  • Oracle Retail EFTLink, versions 20.0.1, 21.0.0
  • Oracle Retail Fiscal Management, version 14.2
  • Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 19.0.1
  • Oracle Retail Point Of Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1.3.47, 15.0.3.116, 16.0.3.260
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Sales Audit, version 19.0.1
  • Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3
  • Oracle SD-WAN Aware, version 9.0.1.3.0
  • Oracle SD-WAN Edge, versions 7.0.7, 9.1.1.2.0
  • Oracle Secure Backup, versions prior to 18.1.0.2.0
  • Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Solaris, version 11
  • Oracle Solaris Cluster, version 4
  • Oracle SQL Developer
  • Oracle TimesTen In-Memory Database
  • Oracle Transportation Management, versions 6.4.3, 6.5.1
  • Oracle Utilities Testing Accelerator, versions 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0
  • Oracle VM VirtualBox, versions prior to 6.1.40
  • Oracle WebCenter Content, version 12.2.1.3.0
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • PeopleSoft Enterprise Common Components, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
  • Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.14, 20.12.0-20.12.9, 21.12.0-21.12.7
  • Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12
  • Siebel Applications, versions 22.8 and prior

RISK:

Government:
Large and medium government entitiesHIGH
Small governmentHIGH
Businesses:
Large and medium business entitiesHIGH
Small business entitiesHIGH
Home Users:
LOW

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Perform regular software updates to mitigate exploitation risk. (M1051: Update Software)
    o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    o Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    o Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    o Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
    o Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
    **

Get Email Updates When Cyber Threats Like This Arise

Subscribe to Advisories