Overview
Recently, NSFOCUS CERT found that Oracle officially released a Critical Patch Update announcement (CPU) in January. A total of 413 vulnerabilities of different levels were fixed this time. This security update involves Oracle WebLogic Server, Oracle MySQL, Oracle Java SE, Oracle Fusion Middleware, Oracle HTTP Server and other commonly used products. Oracle strongly recommends that customers apply critical patch updates to fix the vulnerability as soon as possible.
Reference link: https://www.oracle.com/security-alerts/cpujan2024.html
Key Vulnerabilities
Screen out the vulnerabilities with great impact in this update according to product popularity and vulnerability importance.
Oracle WebLogic Server Security Features Bypass Vulnerabilities (CVE-2024-20927)
A security feature bypass vulnerability exists in Oracle WebLogic Server. A remote unauthenticated attacker can compromise system integrity through this vulnerability. .
Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2024-20931)
Oracle WebLogic Server has an information disclosure vulnerability. An unauthenticated attacker sends a special request to the affected server through T3/IIOP protocol, which may realize illegal access to critical data or full access to all data of Oracle WebLogic Server, resulting in sensitive information disclosure.
Oracle WebLogic Server Security Features Bypass Vulnerabilities (CVE-2024-20986)
A security feature exists in Oracle WebLogic Server that bypasses a vulnerability by which remote unauthenticated attackers can compromise system integrity or disclose sensitive information after inducing victim interaction.
Multiple vulnerabilities in Oracle MySQL
This security update fixes 40 vulnerabilities for Oracle MySQL, 12 of which can be exploited remotely without user authentication (i.e., through the network without user credentials). High-risk vulnerabilities are numbered as follows:
- CVE-2023-38545
- CVE-2023-50164
- CVE-2023-5363
- CVE-2023-5363
- CVE-2023-46589
- CVE-2023-5363
- CVE-2023-5363
- CVE-2023-5363
- CVE-2023-41105
Multiple vulnerabilities in Oracle Financial Services Applications:
This security update fixes 71 vulnerabilities for Oracle Financial Services Applications. Fifty-four of these vulnerabilities were remotely exploitable without user authentication. High-risk vulnerabilities are numbered as follows:
- CVE-2023-46604
- CVE-2022-42920
- CVE-2023-24998
- CVE-2022-34169
- CVE-2023-24998
The vulnerabilities in the key patch update of Oracle official website in January are summarized as follows:
| Product | No. of Vulnerabilities | No. of unauthorized remote utilization | CVSS Score |
| Oracle Database Products Risk Matrices | 3 | 0 | 6.5 |
| Oracle Database Server | 3 | 0 | 6.5 |
| Oracle Audit Vault and Database Firewall | 5 | 1 | 7.6 |
| Oracle Big Data Spatial and Graph | 1 | 1 | 7.5 |
| Oracle Essbase | 3 | 2 | 9.8 |
| Oracle Global Lifecycle Management | 1 | 1 | 3.7 |
| Oracle GoldenGate | 1 | 1 | 3.7 |
| Oracle Graph Server and Client | 1 | 1 | 7.5 |
| Oracle NoSQL Database | 1 | 0 | 6.5 |
| Oracle REST Data Services | 5 | 4 | 7.5 |
| Oracle Secure Backup | 5 | 4 | 7.5 |
| Oracle SQL Developer | 5 | 4 | 7.5 |
| Oracle TimesTen In-Memory Database | 5 | 4 | 7.5 |
| Oracle Commerce | 5 | 4 | 7.5 |
| Oracle Communications Applications | 43 | 25 | 9.8 |
| Oracle Communications | 55 | 43 | 9.8 |
| Oracle Construction and Engineering | 6 | 2 | 7.5 |
| Oracle E-Business Suite | 19 | 14 | 6.5 |
| Oracle Enterprise Manager | 12 | 11 | 8.3 |
| Oracle Financial Services Applications | 71 | 54 | 9.8 |
| Oracle Fusion Middleware | 39 | 29 | 9.8 |
| Oracle Analytics | 17 | 11 | 8.2 |
| Oracle Hyperion | 11 | 10 | 9.8 |
| Oracle Java SE | 13 | 11 | 7.5 |
| Oracle JD Edwards | 9 | 6 | 9.8 |
| Oracle MySQL | 40 | 12 | 9.8 |
| Oracle PeopleSoft | 4 | 2 | 7.5 |
| Oracle Retail Applications | 6 | 5 | 9.8 |
| Oracle Siebel CRM | 2 | 2 | 7.5 |
| Oracle Supply Chain | 6 | 4 | 8.8 |
| Oracle Systems | 9 | 3 | 9.8 |
| Oracle Utilities Applications | 7 | 3 | 7.5 |
Mitigation
Patch update
Please refer to the Appendix “Affected Products and Patch Information” in this document to download the affected product update patch in time, and install and update it by referring to the readme file in the patch installation package to ensure long-term effective protection.
Note: The official patch of Oracle requires the user to have a licensed account of genuine software. After logging in https://support.oracle.com with this account, you can download the latest patch.
Temporary Weblogic Protection Measures
1. Restrict T3 protocol access
The following measures can be used to block attacks that exploit T3 protocol vulnerabilities if the user is temporarily unable to install patches or communicate with the JVM via the T3 protocol:
WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl, which accepts all incoming connections. Access control can be performed on T3 and T3s protocols through the configuration rules of this connection filter. The detailed operation steps are as follows:
1) Go to the WebLogic console. On the configuration page of base_domain, go to the Security tab page and click Filters to configure connection filters.
2) Enter weblogic.security.net.ConnectionFilterImpl in the connection filter, and configure rules conforming to the actual situation of the enterprise in the connection filter rule by referring to the following writing:
127.0.0.1 * * allow t3 t3s
Local IP ** allow t3 t3s
IP allowed to be accessed ** allow t3 t3s * * * deny t3 t3s
The connection filter rule format is as follows: target localAddress localPort action protocols, where:
- target specifies one or more servers to filter.
- localAddress can be used to define the host address of the server. (If an asterisk (*) is specified, the returned match will be all local IP addresses.)
- localPort defines the port on which the server is listening. (If an asterisk is specified, the match will return all available ports on the server).
- action specifies the operation to be performed. (Value must be “allow” or “deny”.)
Protocols is a list of protocol names to be matched. (Must specify one of the following protocols: http, https, t3, t3s, giop, giops, dcom or ftp. If no protocol is defined, all protocols will match one rule.
3) If the rule does not take effect after saving, it is recommended to restart the WebLogic service (restarting the WebLogic service will cause business interruption. It is recommended that relevant personnel assess the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows: Enter the bin directory under the directory where the domain is located, run stopWebLogic.cmd file in Windows system to terminate WebLogic service, and run stopWebLogic.sh file in Linux system.
After the termination script is executed, run the startWebLogic.cmd or startWebLogic.sh file to start WebLogic to restart the WebLogic service.
Reference link: https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
2. Disable IIOP protocol
Users can block attacks that exploit IIOP protocol vulnerabilities by disabling the IIOP protocol as follows: In the WebLogic console, choose Services > AdminServer > Protocol and uncheck Enable IIOP. Restart the WebLogic project to make the configuration take effect.
Affected Products and Patches
| Affected product and version number | Available patches |
| Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2430, prior to XCP3130, prior to XCP4040 | https://support.oracle.com/rs?type=doc&id=2992074.1 |
| GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.16, 21.3-21.12 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Integrated Lights Out Manager (ILOM), versions 3, 4, 5 | https://support.oracle.com/rs?type=doc&id=2992074.1 |
| JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.0 | https://support.oracle.com/rs?type=doc&id=2993346.1 |
| JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.1 | https://support.oracle.com/rs?type=doc&id=2993346.1 |
| MySQL Cluster, versions 7.5.32 and prior, 7.6.28 and prior, 8.0.35 and prior, 8.1.0, 8.2.0 and prior | https://support.oracle.com/rs?type=doc&id=2992139.1 |
| MySQL Connectors, versions 8.0.35 and prior, 8.2.0 and prior | https://support.oracle.com/rs?type=doc&id=2992139.1 |
| MySQL Enterprise Monitor, versions 8.0.36 and prior | https://support.oracle.com/rs?type=doc&id=2992139.1 |
| MySQL Server, versions 8.0.35 and prior, 8.1.0, 8.2.0 and prior | https://support.oracle.com/rs?type=doc&id=2992139.1 |
| MySQL Workbench, versions 8.0.34 and prior | https://support.oracle.com/rs?type=doc&id=2992139.1 |
| Oracle Access Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Agile PLM, version 9.3.6 | https://support.oracle.com/rs?type=doc&id=2993347.1 |
| Oracle Agile Product Lifecycle Management for Process, versions prior to 6.2.4.2 | https://support.oracle.com/rs?type=doc&id=2993347.1 |
| Oracle Analytics Desktop, versions 6.4.0.0.0, prior to 7.2 | https://support.oracle.com/rs?type=doc&id=2991925.2 |
| Oracle Application Testing Suite, version 13.3.0.1 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Audit Vault and Database Firewall, versions 20.1-20.9 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Banking APIs, versions 19.1.0, 21.1.0, 22.1.0, 22.2.0 | https://support.oracle.com |
| Oracle Banking Branch, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Cash Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Collections and Recovery, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Corporate Lending Process Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Credit Facilities Process Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Digital Experience, versions 19.1.0, 21.1.0, 22.1.0, 22.2.0 | https://support.oracle.com |
| Oracle Banking Electronic Data Exchange for Corporates, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Enterprise Default Management, versions 14.5.0-14.7.0 | https://support.oracle.com/rs?type=doc&id=2992598.1 |
| Oracle Banking Extensibility Workbench, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Liquidity Management, versions 14.5.0-14.7.0, 14.7.0.3.0 | https://support.oracle.com |
| Oracle Banking Origination, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Party Management, versions 14.5.0-14.7.0 | https://support.oracle.com/rs?type=doc&id=2992598.1 |
| Oracle Banking Supply Chain Finance, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Trade Finance Process Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Banking Virtual Account Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle BI Publisher, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991925.2 |
| Oracle Big Data Spatial and Graph, version 3.0.4 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Business Intelligence Enterprise Edition, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991925.2 |
| Oracle Business Process Management Suite, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Commerce Guided Search, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2993583.1 |
| Oracle Commerce Platform, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2993583.1 |
| Oracle Communications ASAP, version 7.4 | https://support.oracle.com/rs?type=doc&id=2992397.1 |
| Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2992408.1 |
| Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.4-12.0.0.8 | https://support.oracle.com/rs?type=doc&id=2992676.1 |
| Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.3, 23.2.1, 23.3.0 | https://support.oracle.com/rs?type=doc&id=2994836.1 |
| Oracle Communications Cloud Native Core Console, versions 23.3.0, 23.3.1 | https://support.oracle.com/rs?type=doc&id=2996591.1 |
| Oracle Communications Cloud Native Core Network Data Analytics Function, versions 23.3.0, 23.4.0 | https://support.oracle.com/rs?type=doc&id=2994863.1 |
| Oracle Communications Cloud Native Core Network Exposure Function, version 23.3.1 | https://support.oracle.com/rs?type=doc&id=2996601.1 |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.1.0, 23.2.0, 23.3.1 | https://support.oracle.com/rs?type=doc&id=2994716.1 |
| Oracle Communications Cloud Native Core Network Repository Function, versions 23.1.4, 23.3.1 | https://support.oracle.com/rs?type=doc&id=2994837.1 |
| Oracle Communications Cloud Native Core Network Slice Selection Function, versions 23.2.0, 23.3.1 | https://support.oracle.com/rs?type=doc&id=2994716.1 |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.1.0, 23.2.0, 23.3.0 | https://support.oracle.com/rs?type=doc&id=2994878.1 |
| Oracle Communications Cloud Native Core Unified Data Repository, version 23.3.1 | https://support.oracle.com/rs?type=doc&id=2996603.1 |
| Oracle Communications Convergence, versions 3.0.3.2, 3.0.3.3 | https://support.oracle.com/rs?type=doc&id=2992469.1 |
| Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2992468.1 |
| Oracle Communications Diameter Signaling Router, versions 8.6.0.0, 9.0.0.0 | https://support.oracle.com/rs?type=doc&id=2994879.1 |
| Oracle Communications Element Manager, versions 9.0.0.0.0-9.0.2.0.1, 9.4.53 | https://support.oracle.com/rs?type=doc&id=2994838.1 |
| Oracle Communications Fraud Monitor, versions 5.0, 5.1 | https://support.oracle.com/rs?type=doc&id=2996604.1 |
| Oracle Communications Instant Messaging Server, version 10.0.1.7.0 | https://support.oracle.com/rs?type=doc&id=2992469.1 |
| Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0 | https://support.oracle.com/rs?type=doc&id=2992410.1 |
| Oracle Communications Messaging Server, version 8.1.0.24.0 | https://support.oracle.com/rs?type=doc&id=2992469.1 |
| Oracle Communications MetaSolv Solution, version 6.3.1.0.0 | https://support.oracle.com/rs?type=doc&id=2992415.1 |
| Oracle Communications Network Analytics Data Director, versions 23.2.0.0.2, 23.3.0.0.0 | https://support.oracle.com/rs?type=doc&id=2994883.1 |
| Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2992468.1 |
| Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1 | https://support.oracle.com/rs?type=doc&id=2992395.1 |
| Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2994869.1 |
| Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2992675.1 |
| Oracle Communications Service Catalog and Design, versions 7.4.0.7.0, 7.4.1.5.0, 7.4.2.8.0 | https://support.oracle.com/rs?type=doc&id=2992416.1 |
| Oracle Communications Session Report Manager, versions 9.0.0.0.0-9.0.2.0.1, 9.4.53 | https://support.oracle.com/rs?type=doc&id=2994862.1 |
| Oracle Communications Unified Assurance, versions 5.0.0-5.5.19, 6.0.0-6.0.3 | https://support.oracle.com/rs?type=doc&id=2997814.1 |
| Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2 | https://support.oracle.com/rs?type=doc&id=2992387.1 |
| Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5, 12.1, 12.2 | https://support.oracle.com/rs?type=doc&id=2993347.1 |
| Oracle Database Server, versions 19.3-19.21, 21.3-21.12, 22.3-23.8, 23.9.0-23.9.4, 23.10 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle E-Business Suite, versions 12.2.3-12.2.13 | https://support.oracle.com/rs?type=doc&id=2484000.1 |
| Oracle Enterprise Data Quality, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Enterprise Manager Base Platform, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Enterprise Manager for Fusion Middleware, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Enterprise Manager for Oracle Database, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Enterprise Manager for Oracle Virtual Infrastructure, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Enterprise Manager for Virtualization, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Enterprise Manager Ops Center, version 12.4.0.0 | https://support.oracle.com/rs?type=doc&id=2986271.1 |
| Oracle Essbase, version 21.5.3.0.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.0.9, 8.1.0, 8.1.1, 8.1.2 | https://support.oracle.com/rs?type=doc&id=2995877.1 |
| Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.5, 8.1.2.6 | https://support.oracle.com/rs?type=doc&id=2992488.1 |
| Oracle Financial Services Compliance Studio, version 8.1.2.5 | https://support.oracle.com/rs?type=doc&id=2992388.1 |
| Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.5, 8.1.2.6 | https://support.oracle.com/rs?type=doc&id=2992664.1 |
| Oracle Financial Services Lending and Leasing, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Financial Services Revenue Management and Billing, versions 2.7.1, 2.8.0, 2.9.0, 2.9.1, 3.0.0-3.2.0, 4.0.0, 5.0.0, 5.1.0, 6.0.0 | https://support.oracle.com/rs?type=doc&id=2996660.1 |
| Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8 | https://support.oracle.com/rs?type=doc&id=2992489.1 |
| Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle FLEXCUBE Investor Servicing, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle FLEXCUBE Private Banking, versions 14.5.0-14.7.0 | https://support.oracle.com |
| Oracle Fusion Middleware, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.40 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle GoldenGate, versions 19.1.0.0.0-19.1.0.0.231017, 21.3-21.12 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle GoldenGate Studio, version 12.2.0.4.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle GraalVM Enterprise Edition, versions 20.3.12, 21.3.8, 22.3.4 | https://support.oracle.com/rs?type=doc&id=2992318.1 |
| Oracle GraalVM for JDK, versions 17.0.9, 21.0.1 | https://support.oracle.com/rs?type=doc&id=2992318.1 |
| Oracle Graph Server and Client, versions prior to 22.4.6, prior to 23.4.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle HTTP Server, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Hyperion Calculation Manager, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Financial Data Quality Management, Enterprise Edition, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Financial Management, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Financial Reporting, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Infrastructure Technology, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Planning, version 11.2.14.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Identity Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Java SE, versions 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1 | https://support.oracle.com/rs?type=doc&id=2992318.1 |
| Oracle JDeveloper, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Managed File Transfer, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle NoSQL Database, versions prior to 1.6, prior to 19.5.40, prior to 20.3.38, prior to 21.2.30, prior to 22.3.94, prior to 23.1.29 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Outside In Technology, version 8.5.6 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle REST Data Services, versions prior to 23.3.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Retail Advanced Inventory Planning, versions 15.0.3, 16.0.3 | https://support.oracle.com/rs?type=doc&id=2992095.1 |
| Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.14, 19.0.0.8 | https://support.oracle.com/rs?type=doc&id=2992095.1 |
| Oracle Retail EFTLink, versions 20.0.1, 21.0.0-23.0.0 | https://support.oracle.com/rs?type=doc&id=2992095.1 |
| Oracle Secure Backup, versions prior to 18.1.0.2.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Service Bus, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle SOA Suite, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle Solaris, version 11 | https://support.oracle.com/rs?type=doc&id=2992074.1 |
| Oracle SQL Developer, versions 21.4.2, 22.2.0, 23.1.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
| Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.1, 2.5.0.2, 2.6.0.0, 2.6.0.1 | https://support.oracle.com/rs?type=doc&id=2992789.1 |
| Oracle Utilties Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3 | https://support.oracle.com/rs?type=doc&id=2992789.1 |
| Oracle WebCenter Content, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle WebCenter Portal, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle WebCenter Sites, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2991923.2 |
| Oracle ZFS Storage Appliance Kit, version 8.8 | https://support.oracle.com/rs?type=doc&id=2992074.1 |
| PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61 | https://support.oracle.com/rs?type=doc&id=2993343.1 |
| Primavera P6 Enterprise Project Portfolio Management, versions 19.12.0-19.12.22, 20.12.0-20.12.20, 21.12.0-21.12.17, 22.12.0-22.12.10 | https://support.oracle.com/rs?type=doc&id=2993521.1 |
| Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.11 | https://support.oracle.com/rs?type=doc&id=2993521.1 |
| Siebel Applications, versions prior to 23.12 | https://support.oracle.com/rs?type=doc&id=2993345.1 |
| TimesTen In-Memory Database, versions prior to 21.1.1.19.0, prior to 22.1.1.19.0 | https://support.oracle.com/rs?type=doc&id=2986269.1 |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.
