Oracle January 2019 Critical Patch Update Security Advisory for All Product Families

Oracle January 2019 Critical Patch Update Security Advisory for All Product Families

January 22, 2019 | Mina Hao

Overview

On January 15, 2019, local time, Oracle released its own security advisory and third-party security advisories for its January 2019 Critical Patch Update (CPU) which fix 284 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, see the appendix.

For details, click the following link:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Vulnerabilities

Product Number of Vulnerabilities Remote Exploits without Authentication Highest CVSS Score
Oracle Database server 3 0 8.2
Oracle Communications Applications 33 29 9.8
Oracle Constructions and Engineering Suite 4 4 9.8
Oracle E-Business Suite 16 16 9.1
Oracle Enterprise Manager Products Suite 11 9 9.8
Oracle Financial Services Applications 9 9 9.8
Oracle Food and Beverage Applications 6 3 8.1
Oracle Fusion Middleware 62 57 9.8
Oracle Health Sciences Applications 6 2 8.8
Oracle Hospitality Applications 5 0 7.8
Oracle Hyperion 1 0 4.3
Oracle Insurance Applications 5 3 8.8
Oracle Java SE 5 5 6.1
Oracle JD Edwards 2 2 9.8
Oracle MySQL 30 3 9.1
Oracle PeopleSoft Products 20 15 8.8
Oracle Retail Applications 16 15 9.8
Oracle Siebel CRM 1 1 9.8
Oracle Sun Systems Products 11 5 9.8
Oracle Supply Chain Products Suite 5 4 9.8
Oracle Support Tools 1 1 7.5
Oracle Utilities Applications 2 2 9.8
Oracle Virtualization 30 4 8.8

Affected Products and Versions

For details, see the appendix.

CPU

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.

Solution:

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and Versions Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2, 13.3 Enterprise Manager
Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3, 13.3.1 Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 Enterprise Manager
Hyperion BI+, version 11.1.2.4 Fusion Middleware
Java Advanced Management Console, version 2.12 Java SE
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4 JD Edwards
MySQL Connectors, versions 2.1.8 and prior, 8.0.13 and prior MySQL
MySQL Enterprise Monitor, versions 4.0.7 and prior, 8.0.13 and prior MySQL
MySQL Server, versions 5.6.42 and prior, 5.7.24 and prior, 8.0.13 and prior MySQL
MySQL Workbench, versions 8.0.13 and prior MySQL
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0, 6.2.3.1 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1 Enterprise Manager
Oracle Argus Safety, versions 8.1, 8.2 Health Sciences
Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2 Oracle Banking Platform
Oracle Business Process Management Suite, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Communications Billing and Revenue Management, versions 7.5, 12.0 Oracle Communications Billing and Revenue Management
Oracle Communications Converged Application Server, versions prior to 7.0.0.1 Oracle Communications Converged Application Server
Oracle Communications Converged Application Server – Service Controller, version 6.1 Oracle Communications Converged Application Server – Service Controller
Oracle Communications Diameter Signaling Router (DSR), versions prior to 8.3 Oracle Communications Diameter Signaling Router
Oracle Communications Online Mediation Controller, version 6.1 Oracle Communications Online Mediation Controller
Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1 Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications Policy Management, versions prior to 12.5 Oracle Communications Policy Management
Oracle Communications Service Broker, version 6.0 Oracle Communications Service Broker
Oracle Communications Services Gatekeeper, versions prior to 6.1.0.4.0 Oracle Communications Services Gatekeeper
Oracle Communications Session Border Controller, versions SCz7.4.0, SCz7.4.1, SCz8.0.0, SCz8.1.0 Oracle Communications Session Border Controller
Oracle Communications Unified Inventory Management, versions prior to 7.4.0 Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, version SCz7.3.5 Oracle Communications Unified Session Manager
Oracle Communications WebRTC Session Controller, versions prior to 7.2 Oracle Communications WebRTC Session Controller
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8 E-Business Suite
Oracle Endeca Server, version 7.7.0 Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz2.1, PCz2.2, PCz3.0 Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0 Fusion Middleware
Oracle Enterprise Session Border Controller, versions ECz7.4.0, ECz7.5.0, ECz8.0.0, ECz8.1.0 Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3, 7.3.5, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7 Oracle Financial Services Analytical Applications Infrastructure
Oracle FLEXCUBE Direct Banking, version 12.0.2 Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0 Oracle Financial Services Applications
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0 Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.1 Fusion Middleware
Oracle Health Sciences Information Manager, version 3.0 Health Sciences
Oracle Healthcare Foundation, versions 7.1, 7.2 Health Sciences
Oracle Healthcare Master Person Index, versions 3.0, 4.0 Health Sciences
Oracle Hospitality Cruise Fleet Management, version 9.0.10 Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.8 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Reporting and Analytics, version 9.1.0 Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, version 2.10 Oracle Hospitality Simphony
Oracle HTTP Server, version 12.2.1.3 Fusion Middleware
Oracle Insurance Calculation Engine, version 10.2 Oracle Insurance Applications
Oracle Insurance Insbridge Rating and Underwriting, versions 5.2, 5.4, 5.5 Oracle Insurance Applications
Oracle Insurance Policy Administration J2EE, versions 10.0, 10.2 Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.0, 10.2 Oracle Insurance Applications
Oracle Java SE, versions 7u201, 8u192, 11.0.1 Java SE
Oracle Java SE Embedded, version 8u191 Java SE
Oracle Managed File Transfer, versions 12.2.1.3.0, 19.1.0.0.0 Fusion Middleware
Oracle Outside In Technology, versions 8.5.3, 8.5.4 Fusion Middleware
Oracle Reports Developer, version 12.2.1.3 Fusion Middleware
Oracle Retail Back Office, versions 13.3, 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Central Office, versions 13.3, 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.8.1 Retail Applications
Oracle Retail Customer Insights, versions 15.0, 16.0 Retail Applications
Oracle Retail Integration Bus, version 17.0 Retail Applications
Oracle Retail Merchandising System, version 14.1 Retail Applications
Oracle Retail Returns Management, versions 13.3, 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Sales Audit, version 15.0 Retail Applications
Oracle Retail Service Backbone, versions 13.1, 13.2, 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Workforce Management Software, versions 1.60.9, 1.64.0 Retail Applications
Oracle Retail Xstore Payment, version 3.3 Retail Applications
Oracle Secure Global Desktop (SGD), version 5.4 Virtualization
Oracle Service Architecture Leveraging Tuxedo, versions 12.1.3.0.0, 12.2.2.0.0 Fusion Middleware
Oracle SOA Suite, versions 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Solaris, versions 10, 11 Systems
Oracle Transportation Management, versions 6.3.7, 6.4.1, 6.4.2, 6.4.3 Oracle Supply Chain Products
Oracle Utilities Framework, version 4.3.0.1-4.3.0.4 Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.0.3, 2.3.0.0, 2.3.0.1, 2.3.0.2 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.24, prior to 6.0.2 Virtualization
Oracle Web Cache, version 11.1.1.9.0 Fusion Middleware
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0 Fusion Middleware
Oracle WebCenter Sites, version 11.1.1.8.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3 Fusion Middleware
OSS Support Tools, versions prior to 19.1 Support Tools
PeopleSoft Enterprise CC Common Application Objects, version 9.2 PeopleSoft
PeopleSoft Enterprise CS Campus Community, versions 9.0, 9.2 PeopleSoft
PeopleSoft Enterprise HCM eProfile Manager Desktop, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57 PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2 PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 17.7-17.12, 18.8 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.1-17.12, 18.8 Oracle Construction and Engineering Suite
Siebel Applications, versions 18.10, 18.11 Siebel
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.8.2 Systems
Tape Library ACSLS, version 8.4 Systems

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

https://www.nsfocusglobal.com.

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.