Overview
On July 17, 2024, NSFOCUS CERT detected that Oracle officially released a critical patch update announcement CPU (Critical Patch Update) for July. A total of 397 vulnerabilities of varying degrees were fixed this time. This security update involves Oracle WebLogic Server, Oracle MySQL, Oracle Java SE, Oracle Fusion Middleware, Oracle Financial Services Applications, Oracle Communications Applications and other commonly used products. Oracle strongly recommends that customers apply critical patch updates to fix the vulnerability as soon as possible.
Reference link: https://www.oracle.com/security-alerts/cpujul2024.html
Key Vulnerabilities
Screen out the vulnerabilities with great impact in this update according to product popularity and vulnerability importance. Please pay attention to them:
Oracle WebLogic Server Remote Code Execution Vulnerability (CVE-2024-21181):
A remote execution vulnerability is present in Oracle WebLogic Server. An unauthenticated attacker executes arbitrary code on the targeted server by sending a special request via T3/IIOP protocol to the affected server, with a CVSS score of 9.8.
Oracle WebLogic Server Information Disclosure Vulnerability (CVE-2024-21182 / CVE-2024-21183):
An information disclosure vulnerability exists in Oracle WebLogic Server. An unauthenticated attacker sends a special request to the affected server through T3/IIOP protocol, which may realize illegal access to key data or complete access to all data of Oracle WebLogic Server, resulting in disclosure of sensitive information. The CVSS score was 7.5.
Oracle WebLogic Server Unauthorized Access Vulnerability (CVE-2024-21175):
An unauthorized access vulnerability exists in Oracle WebLogic Server. An unauthenticated attacker can create, delete or modify full access to critical data or all data of the Oracle WebLogic Server without authorization by sending a special HTTP request to an affected server. The CVSS score was 7.5.
The vulnerabilities in the key patch update of Oracle official website in July are summarized as follows:
| PRODUCT | Number of Vulnerabilities | Number of unauthorized remote use | Maximum CVSS Score |
| Oracle Database Products Risk Matrices | 8 | 3 | 7.5 |
| Oracle Database Server | 8 | 3 | 7.5 |
| Oracle Application Express | 1 | 1 | 4.7 |
| Oracle Big Data Spatial and Graph | 2 | 0 | 6.7 |
| Oracle Essbase | 2 | 0 | 6.7 |
| Oracle GoldenGate | 1 | 1 | 5.9 |
| Oracle Graph Server and Client | 1 | 1 | 5.9 |
| Oracle NoSQL Database | 1 | 1 | 5.9 |
| Oracle REST Data Services | 1 | 1 | 5.3 |
| Oracle TimesTen In-Memory Database | 1 | 0 | 4.3 |
| Oracle Commerce | 7 | 7 | 8.1 |
| Oracle Communications Applications | 20 | 14 | 9.8 |
| Oracle Communications | 95 | 84 | 9.8 |
| Oracle Construction and Engineering | 4 | 2 | 8.1 |
| Oracle E-Business Suite | 10 | 2 | 8.1 |
| Oracle Enterprise Manager | 5 | 5 | 7.5 |
| Oracle Financial Services Applications | 60 | 44 | 9.8 |
| Oracle Fusion Middleware | 41 | 32 | 9.8 |
| Oracle Analytics | 17 | 12 | 9.8 |
| Oracle HealthCare Applications | 5 | 2 | 8.1 |
| Oracle Hyperion | 3 | 0 | 5.5 |
| Oracle Insurance Applications | 10 | 7 | 8.2 |
| Oracle Java SE | 7 | 7 | 8.2 |
| Oracle JD Edwards | 8 | 6 | 7.5 |
| Oracle MySQL | 37 | 11 | 9.8 |
| Oracle PeopleSoft | 11 | 3 | 6.4 |
| Oracle Retail Applications | 5 | 4 | 8.6 |
| Oracle Siebel CRM | 12 | 11 | 9.8 |
| Oracle Supply Chain | 7 | 5 | 8.8 |
| Oracle Systems | 2 | 1 | 4.7 |
| Oracle Utilities Applications | 2 | 2 | 7.5 |
| Oracle Virtualization | 3 | 0 | 8.2 |
Mitigation
1. Patch update
Please refer to the Appendix “Affected Products and Patch Information” in this document to download the affected product update patch in time, and install and update it by referring to the readme file in the patch installation package to ensure long-term effective protection. Note: The official patch of Oracle requires the user to have a licensed account of genuine software. After logging in https://support.oracle.com with this account, you can download the latest patch.
2. Temporary measures
Restrict T3 protocol access
The following measures can be used to block attacks that exploit T3 protocol vulnerabilities if the user is temporarily unable to install patches or communicate with the JVM via the T3 protocol:
WebLogic Server provides a default connection filter named weblogic.security.net.ConnectionFilterImpl, which accepts all incoming connections and can control access to T3 and T3s protocols through the configuration rules of this connection filter. The detailed operation steps are as follows:
1) Go to the Weblogic console. On the configuration page of base_domain, go to the Security tab page and click Filters to configure connection filters.
2) Enter weblogic.security.net.ConnectionFilterImpl in the connection filter, and configure rules that meet the actual situation of the enterprise in the connection filter rules by referring to the following writing:
The connection filter rule format is as follows: target localAddress localPort action protocols, where:
- target specifies one or more servers to filter.
- localAddress can be used to define the host address of the server. (If an asterisk (*) is specified, the returned match will be all local IP addresses.)
- localPort defines the port on which the server is listening. (If an asterisk is specified, the match will return all available ports on the server).
- action specifies the operation to be performed. (Value must be “allow” or “deny”.)
Protocols is a list of protocol names to be matched. (Must specify one of the following protocols: http, https, t3, t3s, giop, giops, dcom or ftp. If no protocol is defined, all protocols will match one rule.
3) If the rule does not take effect after saving, it is recommended to restart the Weblogic service (restarting the Weblogic service will cause business interruption. It is recommended that relevant personnel assess the risk before proceeding). Taking the Windows environment as an example, the steps to restart the service are as follows:
Enter the bin directory under the directory where the domain is located, run stopWebLogic.cmd file in Windows system to terminate weblogic service, and run stopWebLogic.sh file in Linux system
After the termination script is executed, run the startWebLogic.cmd or startWebLogic.sh file to start Weblogic to restart the Weblogic service.
Reference link: https://docs.oracle.com/cd/E24329_01/web.1211/e24485/con_filtr.htm#SCPRG377
Disable IIOP protocol
Users can block attacks that exploit IIOP protocol vulnerabilities by disabling the IIOP protocol as follows: In the Weblogic console, choose Service -> AdminServer -> Protocol and unselect Enable IIOP. Restart the Weblogic project to make the configuration take effect.
Affected Products and Patches
| Affected product and version number | Available patches |
| JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.3 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.2 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| JD Edwards World Security, version A9.4 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| Management Pack for Oracle GoldenGate, version 12.2.1.2 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| MySQL Cluster, versions 7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.1.0 and prior, 8.3.0 and prior, 8.4.0 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| MySQL Connectors, versions 8.4.0 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| MySQL Enterprise Monitor, versions 8.0.38 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| MySQL Server, versions 8.0.37 and prior, 8.0.38, 8.2.0 and prior, 8.3.0 and prior, 8.4.0 and prior, 8.4.1, 9.0.0 | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| MySQL Workbench, versions 8.0.36 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| Oracle Access Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Agile Engineering Data Management, versions 6.2.1.0-6.2.1.9 | https://support.oracle.com/rs?type=doc&id=3032936.1 |
| Oracle Analytics Desktop, versions prior to 7.7.0, prior to 7.8.0 | https://support.oracle.com/rs?type=doc&id=3030276.2 |
| Oracle Application Express, version 23.2 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Application Testing Suite, version 13.3.0.1 | https://support.oracle.com/rs?type=doc&id=3027815.1 |
| Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2 | https://support.oracle.com/rs?type=doc&id=3032936.1 |
| Oracle Banking Branch, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Cash Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Credit Facilities Process Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0.0.0 | https://support.oracle.com/rs?type=doc&id=3031550.1 |
| Oracle Banking Liquidity Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Origination, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Banking Party Management, version 2.7.0.0.0 | https://support.oracle.com/rs?type=doc&id=3031550.1 |
| Oracle Banking Platform, version 2.4.0.0.0 | https://support.oracle.com/rs?type=doc&id=3031550.1 |
| Oracle Banking Virtual Account Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Big Data Spatial and Graph, version 3.0.6 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Business Activity Monitoring, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030276.2 |
| Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Commerce Guided Search, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=3032937.1 |
| Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2 | https://support.oracle.com/rs?type=doc&id=3032937.1 |
| Oracle Communications ASAP, version 7.4 | https://support.oracle.com/rs?type=doc&id=3029082.1 |
| Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=3029083.1 |
| Oracle Communications BRM – Elastic ChargingEngine, versions 12.0.0.4-12.0.0.8, 15.0.0.0 | https://support.oracle.com/rs?type=doc&id=3029087.1 |
| Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.0, 23.4.0 | https://support.oracle.com/rs?type=doc&id=3034023.1 |
| Oracle Communications Cloud Native Core Binding Support Function, versions 23.4.0-23.4.3 | https://support.oracle.com/rs?type=doc&id=3033755.1 |
| Oracle Communications Cloud Native Core Console, versions 23.4.0, 23.4.1 | https://support.oracle.com/rs?type=doc&id=3033772.1 |
| Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0 | https://support.oracle.com/rs?type=doc&id=3033759.1 |
| Oracle Communications Cloud Native Core Network Exposure Function, version 23.4.3 | https://support.oracle.com/rs?type=doc&id=3033760.1 |
| Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.4.0, 24.1.0 | https://support.oracle.com/rs?type=doc&id=3033771.1 |
| Oracle Communications Cloud Native Core Network Repository Function, version 23.4.2 | https://support.oracle.com/rs?type=doc&id=3033754.1 |
| Oracle Communications Cloud Native Core Policy, versions 23.4.0-23.4.4 | https://support.oracle.com/rs?type=doc&id=3034256.1 |
| Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.1.0 | https://support.oracle.com/rs?type=doc&id=3033778.1 |
| Oracle Communications Cloud Native Core Service Communication Proxy, versions 23.4.0, 23.4.1, 23.4.2, 24.1.0 | https://support.oracle.com/rs?type=doc&id=3033762.1 |
| Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.1, 23.4.2 | https://support.oracle.com/rs?type=doc&id=3033758.1 |
| Oracle Communications Converged Charging System, versions 2.0.0.0.0, 2.0.0.1.0 | https://support.oracle.com/rs?type=doc&id=3032835.1 |
| Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=3032835.1 |
| Oracle Communications Diameter Signaling Router, versions 8.6.0.4-8.6.0.8 | https://support.oracle.com/rs?type=doc&id=3035470.1 |
| Oracle Communications EAGLE Element Management System, versions 46.6.4, 46.6.5 | https://support.oracle.com/rs?type=doc&id=3033767.1 |
| Oracle Communications Element Manager, versions 9.0.0-9.0.3 | https://support.oracle.com/rs?type=doc&id=3034508.1 |
| Oracle Communications Network Analytics Data Director, versions 23.4.0, 24.1.0 | https://support.oracle.com/rs?type=doc&id=3033768.1 |
| Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=3029085.1 |
| Oracle Communications Operations Monitor, versions 5.1, 5.2 | https://support.oracle.com/rs?type=doc&id=3033757.1 |
| Oracle Communications Performance Intelligence, version 10.5 | https://support.oracle.com/rs?type=doc&id=3033769.1 |
| Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=3033770.1 |
| Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=3033654.1 |
| Oracle Communications Service Catalog and Design, versions 7.4.0-7.4.2, 8.0.0 | https://support.oracle.com/rs?type=doc&id=3029087.1 |
| Oracle Communications Session Border Controller, versions 4.1.0, 4.2.0, 9.2.0, 9.3.0 | https://support.oracle.com/rs?type=doc&id=3032665.1 |
| Oracle Communications Session Report Manager, versions 9.0.0-9.0.3 | https://support.oracle.com/rs?type=doc&id=3034257.1 |
| Oracle Communications Unified Assurance, versions 5.5.0-5.5.21, 6.0.0-6.0.4 | https://support.oracle.com/rs?type=doc&id=3029086.1 |
| Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2 | https://support.oracle.com/rs?type=doc&id=3029115.1 |
| Oracle Communications User Data Repository, versions 12.11.0, 12.11.3, 12.11.4 | https://support.oracle.com/rs?type=doc&id=3033765.1 |
| Oracle Data Integrator, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Database Server, versions 19.3-19.23, 21.3-21.14, 23.4 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Documaker, versions 12.6.4, 12.7.1 | https://support.oracle.com/rs?type=doc&id=3032841.1 |
| Oracle E-Business Suite, versions 12.2.3-12.2.13 | https://support.oracle.com/rs?type=doc&id=2484000.1 |
| Oracle Enterprise Data Quality, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Enterprise Manager Base Platform, version 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=3027815.1 |
| Oracle Essbase, version 21.5.6 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.1.1, 8.1.2 | https://support.oracle.com/rs?type=doc&id=3031528.1 |
| Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.7.3, 8.0.8.3 | https://support.oracle.com/rs?type=doc&id=3032260.1 |
| Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.7.3, 8.0.8.3 | https://support.oracle.com/rs?type=doc&id=3033171.1 |
| Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7 | https://support.oracle.com/rs?type=doc&id=3032876.1 |
| Oracle Financial Services Compliance Studio, versions 8.1.2.6, 8.1.2.7 | https://support.oracle.com/rs?type=doc&id=3032854.1 |
| Oracle Financial Services Enterprise Case Management, versions 8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3 | https://support.oracle.com/rs?type=doc&id=3032811.1 |
| Oracle Financial Services Model Management and Governance, versions 8.1.2.5, 8.1.2.6 | https://support.oracle.com/rs?type=doc&id=3033761.1 |
| Oracle Financial Services Revenue Management and Billing, versions 6.0.0.0.0, 6.1.0.0.0 | https://support.oracle.com/rs?type=doc&id=3032766.1 |
| Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0 | https://support.oracle.com/rs?type=doc&id=3032877.1 |
| Oracle FLEXCUBE Investor Servicing, versions 14.5.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle FLEXCUBE Universal Banking, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0 | https://support.oracle.com |
| Oracle Fusion Middleware, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Global Lifecycle Management NextGen OUI Framework, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle GoldenGate, versions 19.1.0.0.0-19.23.0.0.240716, 21.3-21.14 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3-21.14.0.0.0 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle GoldenGate Studio, version 12.2.0.4.0 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle GraalVM Enterprise Edition, versions 20.3.14, 21.3.10 | https://support.oracle.com/rs?type=doc&id=3031998.1 |
| Oracle GraalVM for JDK, versions 17.0.11, 21.0.3, 22.0.1 | https://support.oracle.com/rs?type=doc&id=3031998.1 |
| Oracle Graph Server and Client, versions 22.4.7 and prior, 23.4.2 and prior, 24.1.0 and prior | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Healthcare Data Repository, versions 8.1.4, 8.2.0 | https://support.oracle.com/rs?type=doc&id=3031684.1 |
| Oracle Healthcare Foundation, versions 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4 | https://support.oracle.com/rs?type=doc&id=3031684.1 |
| Oracle Healthcare Master Person Index, versions 5.0.0-5.0.9 | https://support.oracle.com/rs?type=doc&id=3031684.1 |
| Oracle HTTP Server, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Hyperion Data Relationship Management, version 11.2.17.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Financial Close Management, version 11.2.17.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Hyperion Infrastructure Technology, version 11.2.17.0.0 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
| Oracle Identity Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Insurance Policy Administration J2EE, versions 11.2.12, 11.3.0-11.3.2 | https://support.oracle.com/rs?type=doc&id=3032841.1 |
| Oracle Java SE, versions 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1 | https://support.oracle.com/rs?type=doc&id=3031998.1 |
| Oracle JDeveloper, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle NoSQL Database, versions 1.4, 1.5, prior to 19.5.42, prior to 20.3.40, prior to 21.2.27, prior to 22.3.46, prior to 23.3.32 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Outside In Technology, version 8.5.7 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Reports Developer, versions 12.2.1.4.0, 12.2.1.19.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle REST Data Services, versions prior to 23.3.1, prior to 24.1.0 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3 | https://support.oracle.com/rs?type=doc&id=3027543.1 |
| Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=3027543.1 |
| Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1 | https://support.oracle.com/rs?type=doc&id=3027543.1 |
| Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3 | https://support.oracle.com/rs?type=doc&id=3027543.1 |
| Oracle Retail Xstore Office, versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1 | https://support.oracle.com/rs?type=doc&id=3027543.1 |
| Oracle Service Bus, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Solaris, version 11 | https://support.oracle.com/rs?type=doc&id=3031405.1 |
| Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.24.0 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| Oracle Unified Directory, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle Utilities Application Framework, versions 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0 | https://support.oracle.com/rs?type=doc&id=3031477.1 |
| Oracle VM VirtualBox, versions prior to 7.0.20 | https://support.oracle.com/rs?type=doc&id=3034015.1 |
| Oracle WebCenter Content, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle WebCenter Portal, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle WebCenter Sites, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=3030266.2 |
| Oracle ZFS Storage Appliance Kit, version 8.8 | https://support.oracle.com/rs?type=doc&id=3031405.1 |
| PeopleSoft Enterprise HCM Human Resources, version 9.2 | https://support.oracle.com/rs?type=doc&id=3032892.1 |
| PeopleSoft Enterprise HCM Shared Components, version 9.2 | https://support.oracle.com/rs?type=doc&id=3032892.1 |
| PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61 | https://support.oracle.com/rs?type=doc&id=3032892.1 |
| Primavera Gateway, versions 19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12 | https://support.oracle.com/rs?type=doc&id=3030446.1 |
| Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6 | https://support.oracle.com/rs?type=doc&id=3030446.1 |
| Siebel Applications, versions 22.12 and prior, 23.12 and prior, 24.6 and prior | https://support.oracle.com/rs?type=doc&id=3032935.1 |
| JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.3 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.2 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| JD Edwards World Security, version A9.4 | https://support.oracle.com/rs?type=doc&id=3032893.1 |
| Management Pack for Oracle GoldenGate, version 12.2.1.2 | https://support.oracle.com/rs?type=doc&id=3027813.1 |
| MySQL Cluster, versions 7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.1.0 and prior, 8.3.0 and prior, 8.4.0 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
| MySQL Connectors, versions 8.4.0 and prior | https://support.oracle.com/rs?type=doc&id=3031934.1 |
Statement
This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, a pioneering leader in cybersecurity, is dedicated to safeguarding telecommunications, Internet service providers, hosting providers, and enterprises from sophisticated cyberattacks.
Founded in 2000, NSFOCUS operates globally with over 4000 employees at two headquarters in Beijing, China, and Santa Clara, CA, USA, and over 50 offices worldwide. It has a proven track record of protecting over 25% of the Fortune Global 500 companies, including four of the five largest banks and six of the world’s top ten telecommunications companies.
Leveraging technical prowess and innovation, NSFOCUS delivers a comprehensive suite of security solutions, including the Intelligent Security Operations Platform (ISOP) for modern SOC, DDoS Protection, Continuous Threat Exposure Management (CTEM) Service and Web Application and API Protection (WAAP). All the solutions and services are augmented by the Security Large Language Model (SecLLM), ML, patented algorithms and other cutting-edge research achievements developed by NSFOCUS.
