Oracle Quarterly Critical Patches Issued October 20, 2020

MS-ISAC ADVISORY NUMBER:

2020-144

DATE(S) ISSUED:

10/20/2020

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

THREAT INTELLIGENCE:

October 29 – UPDATED THREAT INTELLIGENCE
Open source reports have indicated that active exploitation of CVE-2020-14882 has been observed in the wild. This vulnerability allows for an unauthenticated attacker with network access via HTTP to compromise WebLogic servers and is found to be easily exploited. This allows for complete takeover of a WebLogic server. In addition, this vulnerability can also be exploited along with CVE-2020-14883, another Oracle WebLogic Server vulnerability.

January 22 – UPDATED THREAT INTELLIGENCE:
Open source reports have indicated that active exploitation of CVE-2020-14871 has been observed in the wild. This stack-based buffer-overflow vulnerability allows for execution of arbitrary code with root privileges on the affected system. Failed exploit attempts will likely result in denial-of-service conditions. Fixes are available.

SYSTEMS AFFECTED:

  • Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0
  • Big Data Spatial and Graph, versions prior to 3.0
  • Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0
  • Enterprise Manager for Peoplesoft, version 13.4.1.1
  • Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090
  • Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090
  • Hyperion Analytic Provider Services, version 11.1.2.4
  • Hyperion BI+, version 11.1.2.4
  • Hyperion Essbase, version 11.1.2.4
  • Hyperion Infrastructure Technology, version 11.1.2.4
  • Hyperion Lifecycle Management, version 11.1.2.4
  • Hyperion Planning, version 11.1.2.4
  • Identity Manager Connector, version 9.0
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • Management Pack for Oracle GoldenGate, version 12.2.1.2.0
  • MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
  • MySQL Enterprise Monitor, versions 8.0.21 and prior
  • MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
  • MySQL Workbench, versions 8.0.21 and prior
  • Oracle Access Manager, version 11.1.2.3.0
  • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
  • Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0
  • Oracle Application Express, versions prior to 20.2
  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0
  • Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
  • Oracle Banking Payments, versions 14.1.0-14.4.0
  • Oracle Banking Platform, versions 2.4.0-2.10.0
  • Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1
  • Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0
  • Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0
  • Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2
  • Oracle Communications EAGLE Software, versions 46.6.0-46.8.2
  • Oracle Communications Element Manager, versions 8.2.0-8.2.2
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Messaging Server, version 8.1
  • Oracle Communications Offline Mediation Controller, version 12.0.0.3.0
  • Oracle Communications Services Gatekeeper, version 7
  • Oracle Communications Session Border Controller, versions 8.2-8.4
  • Oracle Communications Session Report Manager, versions 8.2.0-8.2.2
  • Oracle Communications Session Route Manager, versions 8.2.0-8.2.2
  • Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0
  • Oracle Communications WebRTC Session Controller, version 7.2
  • Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
  • Oracle Endeca Information Discovery Integrator, version 3.2.0
  • Oracle Endeca Information Discovery Studio, version 3.2.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Enterprise Session Border Controller, version 8.4
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
  • Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0
  • Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0
  • Oracle Financial Services Balance Sheet Planning, version 8.0.8
  • Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0
  • Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0
  • Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9
  • Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0
  • Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0
  • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0
  • Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0
  • Oracle Financial Services Liquidity Risk Management, version 8.0.6
  • Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0
  • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0
  • Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7
  • Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0
  • Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0
  • Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9
  • Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0
  • Oracle Financial Services Retail Customer Analytics, version 8.0.6
  • Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0
  • Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0
  • Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0
  • Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0
  • Oracle Health Sciences Empirica Signal, version 9.0
  • Oracle Healthcare Data Repository, version 7.0.1
  • Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Materials Control, version 18.1
  • Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hospitality RES 3700, version 5.7
  • Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2
  • Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.15
  • Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Insurance Accounting Analyzer, version 8.0.9
  • Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0
  • Oracle Insurance Data Foundation, versions 8.0.6-8.1.0
  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0
  • Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0
  • Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
  • Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15
  • Oracle Java SE Embedded, version 8u261
  • Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Outside In Technology, versions 8.5.4, 8.5.5
  • Oracle Policy Automation, versions 12.2.0-12.2.20
  • Oracle Policy Automation Connector for Siebel, version 10.4.6
  • Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20
  • Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1
  • Oracle Retail Advanced Inventory Planning, version 14.1
  • Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0
  • Oracle Retail Back Office, versions 14.0, 14.1
  • Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0
  • Oracle Retail Central Office, versions 14.0, 14.1
  • Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0
  • Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0
  • Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3
  • Oracle Retail Point-of-Service, versions 14.0, 14.1
  • Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0
  • Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
  • Oracle Retail Returns Management, versions 14.0, 14.1
  • Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
  • Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
  • Oracle Solaris, versions 10, 11
  • Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0
  • Oracle Transportation Management, version 6.3.7
  • Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
  • Oracle VM VirtualBox, versions prior to 6.1.16
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • PeopleSoft Enterprise HCM Global Payroll Core, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise SCM eSupplier Connection, version 9.2
  • Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
  • Siebel Applications, versions 20.7, 20.8

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

January 22 – UPDATED TECHNICAL SUMMARY:
A vulnerability has been discovered in Oracle Solaris which could allow for arbitrary code execution and denial of service. This vulnerability is caused by a failure to perform a bounds check on user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue exists in the ‘parse_user_name()’ function of the ‘pam_framework.c’ source-file within the ‘Pluggable Authentication Module (PAM)’ component of the affected application. This attack can occur by submitting a specially-crafted input to the username parameter while attempting to login via the ‘Secure Shell (SSH) keyboard-interactive’ authentication method to the application.

Successful exploitation of this vulnerability could allow for arbitrary code execution with root privileges or cause denial of service with failed exploit attempts.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

January 22 – UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:
· Implement multiple redundant layers of security.
· Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub : Advisories


CONTROL: 1 --- ADVISORY CONTROL: 0
CONTROL: 2 --- ADVISORY CONTROL: 0
CONTROL: 3 --- ADVISORY CONTROL: 0
CONTROL: 4 --- ADVISORY CONTROL: 0