Oracle family key patch update January 2020 Security Alert

Oracle family key patch update January 2020 Security Alert

January 28, 2020 | Mina Hao

Overview

On January 14, 2020, Oracle officially announced critical patch update (CPU) security announcement and third-party security announcement, and fixed 334 vulnerabilities. See the appendix table for the affected conditions and available patches of each product.

For complete information, please refer to the official notice:

https://www.oracle.com/security-alerts/cpujan2020.html

Vulnerability Summary

Product Number of vulnerabilities Unauthorized remote use Highest CVSS score
Oracle Database server 12 3 7.7
Oracle Communications Applications 25 23 9.8
Oracle Construction and Engineering Suite 12 8 9.8
Oracle E-Business Suite 23 21 9.9
Oracle Enterprise Manager 50 10 9.8
Oracle Financial Services Applications 24 6 7.5
Oracle Food and Beverage Applications 1 0 4.9
Oracle Fusion Middleware 38 30 9.8
Oracle GraalVM 5 3 9.8
Oracle Health Sciences Applications 3 3 9.8
Oracle Hospitality Applications 5 2 7.5
Oracle Hyperion 2 1 9.8
Oracle iLearning 1 1 4.7
Oracle Java SE 12 12 8.1
Oracle JD Edwards 9 9 9.8
Oracle MySQL 19 6 7.5
Oracle PeopleSoft 15 12 9.8
Oracle Retail Applications 22 14 9.8
Oracle Siebel CRM 5 5 9.8
Oracle Systems 17 8 9.8
Oracle Supply Chain 8 8 9.6
Oracle Utilities Applications 4 4 9.8
Oracle Virtualization 22 3 8.2

 

Affected products and versions

Please refer to the appendix at the end of the article for the affected products and versions.

Critical patch update (CPU)

Critical patch update (CPU) is a collection of patches for multiple security vulnerabilities. Critical patch updates are usually cumulative, but each time only security fixes that have been added since the last critical patch update consultation are described. Therefore, important update recommendations for previously released security patches should be reviewed for information on security fixes for earlier releases.

Solution

Given the threat of a successful attack, Oracle strongly recommends that customers download and install critical patch updates as soon as possible.

Appendix

Affected products (including versions) and related patches are shown in the table below:

Affected Products and Versions Patch Availability Document
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0, 13.3.0.0 Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 13.2.0.0, 13.3.0.0 Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.5, 13.2.0.0, 13.3.0.0 Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 Enterprise Manager
Hyperion Financial Close Management, version 11.1.2.4 Fusion Middleware
Hyperion Planning, version 11.1.2.4 Fusion Middleware
Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0 Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2 JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
MySQL Client, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior MySQL
MySQL Cluster, versions 7.3.27 and prior, 7.4.25 and prior, 7.5.15 and prior, 7.6.12 and prior MySQL
MySQL Connectors, versions 5.3.13 and prior, 8.0.18 and prior MySQL
MySQL Enterprise Backup, versions 3.12.4 and prior, 4.1.3 and prior MySQL
MySQL Server, versions 5.6.46 and prior, 5.7.28 and prior, 8.0.18 and prior MySQL
MySQL Workbench, versions 8.0.18 and prior MySQL
Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile PLM Framework, version 9.3.3 Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.4, 3.5, 3.6 Oracle Supply Chain Products
Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1, 13.3.0.1 Enterprise Manager
Oracle AutoVue, version 12.0.2 Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0-12.4.0, 14.0.0-14.3.0 Oracle Financial Services Applications
Oracle Banking Payments, versions 14.1.0-14.3.0 Oracle Financial Services Applications
Oracle Big Data Discovery, version 1.6 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Clinical, version 5.2 Health Sciences
Oracle Coherence, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Communications Design Studio, versions 7.3.4.3.0, 7.3.5.5.0, 7.4.0.4.0, 7.4.1.1.0 Oracle Communications Design Studio
Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3, 8.4 Oracle Communications Diameter Signaling Router
Oracle Communications Instant Messaging Server, version 10.0.1.3.0 Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2, 6.3 Oracle Communications Interactive Session Recorder
Oracle Communications IP Service Activator, versions 7.3.4, 7.4.0 Oracle Communications IP Service Activator
Oracle Communications Session Border Controller, versions 7.4, 8.0, 8.1, 8.2, 8.3 Oracle Communications Session Border Controller
Oracle Communications Session Router, versions 7.4, 8.0, 8.1, 8.2, 8.3 Oracle Communications Session Router
Oracle Communications Subscriber-Aware Load Balancer, versions 7.3, 8.1, 8.3 Oracle Communications Subscriber-Aware Load Balancer
Oracle Communications Unified Inventory Management, versions 7.3, 7.4 Oracle Communications Unified Inventory Management
Oracle Communications Unified Session Manager, versions 7.3.5, 8.2.5 Oracle Communications Unified Session Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.1.0.11, 12.2.0.1, 18c, 19c, 29, 212.2.0.1 Database
Oracle Demantra Demand Management, versions 12.2.4, 12.2.4.1, 12.2.5, 12.2.5.1 Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9 E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0 Fusion Middleware
Oracle Endeca Information Discovery Studio, version 3.2.0 Fusion Middleware
Oracle Enterprise Communications Broker, versions PCz3.0, PCz3.1, PCz3.2 Oracle Enterprise Communications Broker
Oracle Enterprise Repository, version 12.1.3.0.0 Fusion Middleware
Oracle Enterprise Session Border Controller, versions 7.5, 8.0, 8.1, 8.2, 8.3 Oracle Enterprise Session Border Controller
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3-7.3.5, 8.0.0-8.0.8 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Funds Transfer Pricing, versions 8.0.2-8.0.7 Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Revenue Management and Billing, versions 2.7.0.0, 2.7.0.1, 2.8.0.0 Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Investor Servicing, versions 12.1.0-12.4.0, 14.0.0-14.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.0.1-12.4.0, 14.0.0-14.3.0 Oracle Financial Services Applications
Oracle GraalVM Enterprise Edition, version 19.3.0.2 Oracle GraalVM Enterprise Edition
Oracle Health Sciences Data Management Workbench, versions 2.4, 2.5 Health Sciences
Oracle Healthcare Master Person Index, version 3.0 Health Sciences
Oracle Hospitality Cruise Materials Management, version 7.30.567 Oracle Hospitality Cruise Materials Management
Oracle Hospitality Guest Access, version 4.2 Oracle Hospitality Guest Access
Oracle Hospitality OPERA 5, versions 5.5, 5.6 Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Suites Management, versions 3.7, 3.8 Oracle Hospitality Suites Management
Oracle HTTP Server, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle iLearning, version 6.1 iLearning
Oracle Java SE, versions 7u241, 8u231, 8u241, 11.0.5, 13.0.1 Java SE
Oracle Java SE Embedded, version 8u231 Java SE
Oracle Outside In Technology, version 8.5.4 Fusion Middleware
Oracle Real-Time Scheduler, versions 2.3.0.1-2.3.0.3 Oracle Utilities Applications
Oracle Reports Developer, versions 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3 Retail Applications
Oracle Retail Clearance Optimization Engine, versions 13.4, 14.0, 14.0.3, 14.0.5 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0 Retail Applications
Oracle Retail Markdown Optimization, versions 13.4, 13.4.4 Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0, 18.0 Retail Applications
Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3 Retail Applications
Oracle Retail Sales Audit, version 15.0.3.16.0.2 Retail Applications
Oracle Secure Global Desktop, versions 5.4, 5.5 Virtualization
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Solaris, versions 10, 11 Systems
Oracle Tuxedo, versions 12.1.1.0.0, 12.1.3.0.0 Fusion Middleware
Oracle Utilities Framework, versions 4.2.0.2-4.2.0.3, 4.3.0.1-4.3.0.4 Oracle Utilities Applications
Oracle Utilities Mobile Workforce Management, versions 2.3.0.1-2.3.0.3 Oracle Utilities Applications
Oracle Utilities Work and Asset Management (v1), version 1.9.1.2 Oracle Utilities Applications
Oracle VM Server for SPARC, version 3.6 Systems
Oracle VM VirtualBox, versions prior to 5.2.36, prior to 6.0.16, prior to 6.1.2 Virtualization
Oracle WebCenter Sites, version 12.2.1.3.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
PeopleSoft Enterprise CC Common Application Objects, versions 9.1, 9.2 PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58 PeopleSoft
PeopleSoft PeopleTools, versions 8.56, 8.57 PeopleSoft
Primavera Gateway, versions 15.2.18, 16.2.11, 17.12.6, 18.8.8.1 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0.0-15.2.18.7, 16.1.0.0-16.2.19.0, 17.1.0.0-17.12.16.0, 18.1.0.0-18.8.16.0, 19.12.0.0, 20.1.0.0 Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12 Oracle Construction and Engineering Suite
Siebel Applications, versions 19.10 and prior Siebel
Sun ZFS Storage Appliance Kit, version 8.8.6 Systems
Tape Library ACSLS, versions 8.5, 8.5.1 Systems

 

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.