Oracle July 2019 Critical Patch Update for All Product Families Threat Alert

July 26, 2019 | Adeline Zhang

Overview

On July 16, 2019, local time, Oracle released its own security advisory and third-party security advisories for its January 2019 Critical Patch Update (CPU) which fix 319 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, visit the following link:

For more details, see Oracle’s official security advisories from the following link:

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html

Vulnerabilities

Product	Number of Vulnerabilities	Number of Remote Exploits Without Auth.	CVSS Base Score
Oracle Database server	8	1	9.8
Oracle Global Lifecycle Management	1	0	7.2
Oracle Berkeley DB	5	0	7.0
Oracle Communications Applications	24	21	9.8
Oracle Construction and Engineering Suite	8	8	9.8
Oracle E-Business Suite	13	12	9.6
Oracle Enterprise Manager Products Suite	12	10	9.8
Oracle Financial Services Applications	60	50	9.8
Oracle Food and Beverage Applications	3	2	8.2
Oracle Fusion Middleware	33	28	9.8
Oracle Hospitality Applications	2	1	6.5
Oracle Hyperion	3	0	4.5
Oracle Insurance Applications	7	7	9.8
Oracle Java SE	10	9	6.8
Oracle GraalVM	2	1	7.7
Oracle JD Edwards Products	5	5	9.8
Oracle MySQL	45	4	9.8
Oracle PeopleSoft Products	8	5	7.5
Oracle Retail Applications	21	14	9.8
Oracle Siebel CRM	3	1	6.1
Oracle Sun Systems Products Suite	14	8	9.8
Oracle Supply Chain Products Suite	8	6	9.8
Oracle Support Tools	7	7	9.8
Oracle Utilities Applications	3	3	9.8
Oracle Virtualization	14	1	8.8

Affected Products and Versions

For details, see the appendix.

Critical Patch Update

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.

Solution

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and Versions	Patch Availability Document
Application Express, versions 5.1, 18.2	Database
Diagnostic Assistant, versions prior to 2.12.36	Support Tools
Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0	Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 13.2, 13.3	Enterprise Manager
Enterprise Manager for Virtualization, versions 13.1, 13.2, 13.3	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 9.2	JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4	JD Edwards
MICROS Retail XBRi Loss Prevention, versions 10.8.0 – 10.8.3	Retail Applications
MICROS Retail-J, versions 12.1.0, 12.1.1, 12.1.2, 13.1	Retail Applications
MySQL Enterprise Monitor, versions 4.0.9 and prior, 8.0.14 and prior	MySQL
MySQL Server, versions 5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior	MySQL
MySQL Workbench, versions 8.0.16 and prior	MySQL
Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1	Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6	Oracle Supply Chain Products
Oracle Application Testing Suite, versions 13.1, 13.2, 13.3	Enterprise Manager
Oracle Banking Platform, versions 2.4.0 – 2.7.1	Oracle Banking Platform
Oracle Berkeley DB, versions 12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32	Berkeley DB
Oracle BI Publisher, version 11.1.1.9.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.4.0	Fusion Middleware
Oracle Clusterware, version 12.1.0.2.0	Support Tools
Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0	Oracle Communications Application Session Controller
Oracle Communications Billing and Revenue Management, versions 7.5, 12.0	Oracle Communications Billing and Revenue Management
Oracle Communications Converged Application Server, versions 5.1, 7.0, 7.1	Oracle Communications Converged Application Server
Oracle Communications Converged Application Server – Service Controller, versions 6.0, 6.1	Oracle Communications Converged Application Server – Service Controller
Oracle Communications Convergence, version 3.0.2	Oracle Communications Convergence
Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3	Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE (Software), versions 46.5, 46.6, 46.7	Oracle Communications EAGLE (Software)
Oracle Communications Instant Messaging Server, version 10.0.1.2.0	Oracle Communications Instant Messaging Server
Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2	Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, versions 8.0.2, 8.1.0	Oracle Communications Messaging Server
Oracle Communications Online Mediation Controller, version 6.1	Oracle Communications Online Mediation Controller
Oracle Communications Unified, version 8.0.0.2.0	Oracle Communications Calendar Server
Oracle Data Integrator, version 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle Demantra Demand Management, version 7.3.1.5.2	Oracle Supply Chain Products
Oracle E-Business Suite, versions 12.1.1 – 12.1.3, 12.2.3 – 12.2.8	E-Business Suite
Oracle Endeca Information Discovery Integrator, version 3.2.0	Fusion Middleware
Oracle Endeca Server, version 7.7.0	Fusion Middleware
Oracle Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0	Enterprise Manager
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Financial Services – Regulatory Reporting for Reserve Bank of India – Lombard Risk Integration Pack, version 8.0.7	Oracle Financial Services – Regulatory Reporting for Reserve Bank of India
Oracle Financial Services – Regulatory Reporting for US Federal Reserve – Lombard Risk Integration Pack, versions 8.0.4 – 8.0.7	Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 – 7.3.5, 8.0.2 – 8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.4 – 8.0.7	Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 8.0.4 – 8.0.7	Oracle Financial Services Asset Liability Management
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.4 – 8.0.7	Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.4 – 8.0.7	Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 8.0.4 – 8.0.8	Oracle Financial Services Data Foundation
Oracle Financial Services Data Integration Hub, versions 8.0.5 – 8.0.7	Oracle Financial Services Data Integration Hub
Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 – 8.0.7	Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 – 8.0.7	Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Institutional Performance Analytics, versions 8.0.4 – 8.0.7	Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6	Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8	Oracle Financial Services Liquidity Risk Measurement and Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 – 8.0.7	Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6, 8.0.8	Oracle Financial Services Market Risk Measurement and Management
Oracle Financial Services Price Creation and Discovery, versions 8.0.4 – 8.0.7	Oracle Financial Services Price Creation And Discovery
Oracle Financial Services Profitability Management, versions 8.0.4 – 8.0.7	Oracle Financial Services Profitability Management
Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6, 8.0.7	Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for European Banking Authority – Integration Pack for Lombard Risk, versions 8.0.6, 8.0.7	Oracle Financial Services Regulatory Reporting for European Banking Authority
Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.4 – 8.0.7	Oracle Financial Services Regulatory Reporting for US Federal Reserve
Oracle Financial Services Retail Customer Analytics, versions 8.0.4 – 8.0.6	Oracle Financial Services Retail Customer Analytics
Oracle Financial Services Revenue Management and Billing, versions 2.4.0.0, 2.4.0.1	Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.6.0, 11.7.0, 11.8.0	Oracle Financial Services Applications
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.0, 12.1	Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Private Banking, versions 12.0.1, 12.0.3, 12.1.0	Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 12.0.1 – 12.0.3, 12.1.0 – 12.4.0, 14.0.0 – 14.2.0	Oracle Financial Services Applications
Oracle Global Lifecycle Management OPatchAuto, versions prior to 12.2.0.1.14	Oracle Global Lifecycle Management OPatchAuto
Oracle GraalVM Enterprise Edition, version 19.0.0	Oracle GraalVM Enterprise Edition
Oracle Hospitality Gift and Loyalty, versions 9.0.0, 9.1.0	Oracle Hospitality Gift and Loyalty
Oracle Hospitality Guest Access, versions 4.2, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Simphony, version 18.2.1	Oracle Hospitality Simphony
Oracle Hospitality Suite8, versions 8.9.6, 8.10.2, 8.11 – 8.14	Oracle Hospitality Suite8
Oracle HTTP Server, versions 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle Hyperion Planning, version 11.1.2.4	Fusion Middleware
Oracle Hyperion Workspace, version 11.1.2.4	Fusion Middleware
Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0	Fusion Middleware
Oracle Insurance Allocation Manager for Enterprise Profitability, version 8.0.8	Oracle Insurance Allocation Manager for Enterprise Profitability
Oracle Insurance Calculation Engine, versions 9.7, 10.0, 10.1, 10.2	Oracle Insurance Applications
Oracle Insurance Data Foundation, versions 8.0.4 – 8.0.7	Oracle Insurance Data Foundation
Oracle Insurance IFRS 17 Analyzer, versions 8.0.6, 8.0.7	Oracle Insurance IFRS 17 Analyzer
Oracle Insurance Performance Insight, version 8.0.7	Oracle Insurance Performance Insight
Oracle Insurance Policy Administration J2EE, versions 10.0, 10.1, 10.2, 11.0	Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.0, 10.1, 10.2, 11.0	Oracle Insurance Applications
Oracle Java SE, versions 7u221, 8u212, 11.0.3, 12.0.1	Java SE
Oracle Java SE Embedded, version 8u211	Java SE
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Retail Advanced Inventory Planning, version 15.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0	Retail Applications
Oracle Retail Financial Integration, versions 14.0, 14.1, 15.0, 16.0	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 16.0	Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0	Retail Applications
Oracle Retail Order Management System, version 5.0	Retail Applications
Oracle Retail Predictive Application Server, versions 14.0.3.26, 14.1.3.37, 15.0.3.100, 16.0	Retail Applications
Oracle Retail Service Backbone, version 16.0.1	Retail Applications
Oracle Retail Xstore Office, versions 7.0, 7.1	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.0, 7.1, 15.0, 16.0, 17.0, 18.0	Retail Applications
Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, version 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11.3, 11.4	Systems
Oracle Transportation Management, version 6.3.7	Oracle Supply Chain Products
Oracle Utilities Advanced Spatial and Operational Analytics, version 2.7.0.1	Oracle Utilities Applications
Oracle Utilities Framework, versions 4.3.0.2.0 – 4.3.0.6.0, 4.4.0.0.0	Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.32, prior to 6.0.10	Virtualization
Oracle WebCenter Sites, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
PeopleSoft Enterprise FIN Project Costing, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57	PeopleSoft
Primavera Analytics, version 18.8	Oracle Construction and Engineering Suite
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7 – 17.12, 18.8	Oracle Construction and Engineering Suite
Services Tools Bundle, version 19.2	Support Tools
Siebel Applications, versions 19.0 and prior	Siebel
StorageTek Tape Analytics SW Tool, version 2.3.0	Systems
Sun ZFS Storage Appliance Kit (AK), version 8.8.3	Systems
System Utilities, version 19.1	Support Tools
Tape Virtual Storage Manager GUI, version 6.2	Systems

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.