Overview
On October 15, 2019, local time, Oracle released its own security advisory and third-party security advisories for its October 2019 Critical Patch Update (CPU) which fixes 240 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, visit the appendix.
For more details, see Oracle’s official security advisory from the following link:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Vulnerabilities
| Product |
Number of Vulnerabilities |
Number of Remote Exploits Without Auth. |
CVSS Base Score |
| Oracle Database server |
10 |
2 |
6.8 |
| Oracle NoSQL Database |
1 |
1 |
10 |
| Oracle Construction and Engineering Suite |
13 |
11 |
9.8 |
| Oracle E-Business Suite |
10 |
10 |
8.2 |
| Oracle Enterprise manager Products Suite |
7 |
5 |
9.8 |
| Oracle Financial Services Applications |
7 |
4 |
9.8 |
| Oracle Food and Beverage Applications |
7 |
3 |
9.0 |
| Oracle Fusion Middleware |
37 |
31 |
9.8 |
| Oracle Health Sciences Applications |
2 |
2 |
6.1 |
| Oracle Hospitality Applications |
3 |
2 |
7.5 |
| Oracle Hyperion |
3 |
0 |
6.4 |
| Oracle Java SE |
20 |
20 |
6.8 |
| Oracle GraalVM |
3 |
2 |
7.7 |
| Oracle JD Edwards Products |
1 |
1 |
9.8 |
| Oracle Knowledge |
17 |
16 |
9.8 |
| Oracle MySQL |
34 |
9 |
9.8 |
| Oracle PeopleSoft Products |
13 |
10 |
9.8 |
| Oracle Policy Automation |
4 |
4 |
7.5 |
| Oracle Retail Applications |
12 |
9 |
9.8 |
| Oracle Siebel CRM |
4 |
4 |
7.5 |
| Oracle Sun Systems Products Suite |
12 |
7 |
9.8 |
| Oracle Supply Chain Products |
3 |
3 |
9.8 |
| Oracle Support Tools |
2 |
2 |
6.1 |
| Oracle Virtualization |
15 |
3 |
8.8 |
Affected Products and Versions
For details, see the appendix.
Critical Patch Update
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.
Solution
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.
Appendix
The following table lists affected products (and their versions) and related patches.
| Affected Products and Versions |
Patch Availability Document |
| Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4 |
Oracle Supply Chain Products |
| Diagnostic Assistant, version 2.12.36 |
Support Tools |
| Enterprise Manager Base Platform, versions 13.2, 13.3 |
Enterprise Manager |
| Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0 |
Enterprise Manager |
| Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 |
Enterprise Manager |
| Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071 |
Systems |
| Hyperion Data Relationship Management, version 11.1.2.4 |
Fusion Middleware |
| Hyperion Enterprise Performance Management Architect, version 11.1.2.4 |
Fusion Middleware |
| Hyperion Financial Reporting, version 11.1.2.4 |
Fusion Middleware |
| Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 |
Oracle Construction and Engineering Suite |
| JD Edwards EnterpriseOne Tools, version 4.0.1.0 |
JD Edwards |
| MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0 |
Retail Applications |
| MICROS Retail XBRi Loss Prevention, version 10.8.3 |
Retail Applications |
| MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior |
MySQL |
| MySQL Enterprise Monitor, versions 8.0.17 and prior |
MySQL |
| MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior |
MySQL |
| MySQL Workbench, versions 8.0.17 and prior |
MySQL |
| Oracle Agile PLM, versions 9.3.3-9.3.6 |
Oracle Supply Chain Products |
| Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0 |
Oracle Supply Chain Products |
| Oracle API Gateway, version 11.1.2.4.0 |
Fusion Middleware |
| Oracle Application Testing Suite, versions 13.2, 13.3 |
Enterprise Manager |
| Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1 |
Oracle Financial Services Applications |
| Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1 |
Oracle Banking Platform |
| Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 |
Fusion Middleware |
| Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 |
Fusion Middleware |
| Oracle Clusterware, version 19.0.0.0.0 |
Support Tools |
| Oracle Data Integrator, version 12.2.1.3.0 |
Fusion Middleware |
| Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c |
Database |
| Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9 |
E-Business Suite |
| Oracle Enterprise Repository, version 12.1.3.0.0 |
Fusion Middleware |
| Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8 |
Oracle Financial Services Analytical Applications Infrastructure |
| Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7 |
Oracle Financial Services Enterprise Financial Performance Analytics |
| Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7 |
Oracle Financial Services Retail Performance Analytics |
| Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3 |
Oracle Financial Services Applications |
| Oracle Forms, version 12.2.1.3.0 |
Fusion Middleware |
| Oracle GoldenGate Application Adapters, version 12.3.2.1.0 |
Fusion Middleware |
| Oracle GraalVM Enterprise Edition, version 19.2.0 |
Oracle GraalVM Enterprise Edition |
| Oracle Healthcare Foundation, versions 7.1.1, 7.2.2 |
Health Sciences |
| Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1 |
Health Sciences |
| Oracle Hospitality Cruise Dining Room Management, version 8.0.80 |
Oracle Hospitality Cruise Dining Room Management |
| Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 |
Oracle Hospitality Guest Access |
| Oracle Hospitality Materials Control, version 18.1 |
Oracle Hospitality Materials Control |
| Oracle Hospitality Reporting and Analytics, version 9.1.0 |
Oracle Hospitality Reporting and Analytics |
| Oracle Hospitality RES 3700, version 5.7 |
Oracle Hospitality RES |
| Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13 |
Java SE |
| Oracle Java SE Embedded, version 8u221 |
Java SE |
| Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0 |
Fusion Middleware |
| Oracle NoSQL Database, versions prior to 19.3.12 |
NoSQL Database |
| Oracle Outside In Technology, version 8.5.4 |
Fusion Middleware |
| Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15 |
Oracle Policy Automation |
| Oracle Policy Automation Connector for Siebel, version 10.4.6 |
Oracle Policy Automation |
| Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15 |
Oracle Policy Automation |
| Oracle Retail Customer Insights, versions 15.0, 16.0 |
Retail Applications |
| Oracle Retail Customer Management and Segmentation Foundation, version 17.0 |
Retail Applications |
| Oracle Retail Integration Bus, versions 15.0, 16.0 |
Retail Applications |
| Oracle Retail Xstore Office, version 7.1 |
Retail Applications |
| Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0 |
Retail Applications |
| Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 |
Fusion Middleware |
| Oracle SOA Suite, version 12.2.1.3.0 |
Fusion Middleware |
| Oracle Solaris, versions 10, 11 |
Systems |
| Oracle Virtual Directory, version 11.1.1.9.0 |
Fusion Middleware |
| Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14 |
Virtualization |
| Oracle Web Services, version 12.2.1.3.0 |
Fusion Middleware |
| Oracle WebCenter Portal, version 12.2.1.3.0 |
Fusion Middleware |
| Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 |
Fusion Middleware |
| PeopleSoft Enterprise HCM Human Resources, version 9.2 |
PeopleSoft |
| PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57 |
PeopleSoft |
| PeopleSoft Enterprise SCM eProcurement, version 9.2 |
PeopleSoft |
| Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8 |
Oracle Construction and Engineering Suite |
| Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13 |
Oracle Construction and Engineering Suite |
| Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8 |
Oracle Construction and Engineering Suite |
| Siebel Applications, versions 19.8 and prior |
Siebel |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
