Oracle October 2019 Critical Patch Update for All Product Families Threat Alert

outubro 21, 2019 | Adeline Zhang

Overview

On October 15, 2019, local time, Oracle released its own security advisory and third-party security advisories for its October 2019 Critical Patch Update (CPU) which fixes 240 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, visit the appendix.

For more details, see Oracle’s official security advisory from the following link:

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

Vulnerabilities

Product	Number of Vulnerabilities	Number of Remote Exploits Without Auth.	CVSS Base Score
Oracle Database server	10	2	6.8
Oracle NoSQL Database	1	1	10
Oracle Construction and Engineering Suite	13	11	9.8
Oracle E-Business Suite	10	10	8.2
Oracle Enterprise manager Products Suite	7	5	9.8
Oracle Financial Services Applications	7	4	9.8
Oracle Food and Beverage Applications	7	3	9.0
Oracle Fusion Middleware	37	31	9.8
Oracle Health Sciences Applications	2	2	6.1
Oracle Hospitality Applications	3	2	7.5
Oracle Hyperion	3	0	6.4
Oracle Java SE	20	20	6.8
Oracle GraalVM	3	2	7.7
Oracle JD Edwards Products	1	1	9.8
Oracle Knowledge	17	16	9.8
Oracle MySQL	34	9	9.8
Oracle PeopleSoft Products	13	10	9.8
Oracle Policy Automation	4	4	7.5
Oracle Retail Applications	12	9	9.8
Oracle Siebel CRM	4	4	7.5
Oracle Sun Systems Products Suite	12	7	9.8
Oracle Supply Chain Products	3	3	9.8
Oracle Support Tools	2	2	6.1
Oracle Virtualization	15	3	8.8

Affected Products and Versions

For details, see the appendix.

Critical Patch Update

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.

Solution

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and Versions	Patch Availability Document
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4	Oracle Supply Chain Products
Diagnostic Assistant, version 2.12.36	Support Tools
Enterprise Manager Base Platform, versions 13.2, 13.3	Enterprise Manager
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0	Enterprise Manager
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0	Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071	Systems
Hyperion Data Relationship Management, version 11.1.2.4	Fusion Middleware
Hyperion Enterprise Performance Management Architect, version 11.1.2.4	Fusion Middleware
Hyperion Financial Reporting, version 11.1.2.4	Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3	Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Tools, version 4.0.1.0	JD Edwards
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0	Retail Applications
MICROS Retail XBRi Loss Prevention, version 10.8.3	Retail Applications
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior	MySQL
MySQL Enterprise Monitor, versions 8.0.17 and prior	MySQL
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior	MySQL
MySQL Workbench, versions 8.0.17 and prior	MySQL
Oracle Agile PLM, versions 9.3.3-9.3.6	Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0	Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0	Fusion Middleware
Oracle Application Testing Suite, versions 13.2, 13.3	Enterprise Manager
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1	Oracle Financial Services Applications
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1	Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	Fusion Middleware
Oracle Clusterware, version 19.0.0.0.0	Support Tools
Oracle Data Integrator, version 12.2.1.3.0	Fusion Middleware
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c	Database
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9	E-Business Suite
Oracle Enterprise Repository, version 12.1.3.0.0	Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8	Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7	Oracle Financial Services Retail Performance Analytics
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3	Oracle Financial Services Applications
Oracle Forms, version 12.2.1.3.0	Fusion Middleware
Oracle GoldenGate Application Adapters, version 12.3.2.1.0	Fusion Middleware
Oracle GraalVM Enterprise Edition, version 19.2.0	Oracle GraalVM Enterprise Edition
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2	Health Sciences
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1	Health Sciences
Oracle Hospitality Cruise Dining Room Management, version 8.0.80	Oracle Hospitality Cruise Dining Room Management
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1	Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1	Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.1.0	Oracle Hospitality Reporting and Analytics
Oracle Hospitality RES 3700, version 5.7	Oracle Hospitality RES
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13	Java SE
Oracle Java SE Embedded, version 8u221	Java SE
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle NoSQL Database, versions prior to 19.3.12	NoSQL Database
Oracle Outside In Technology, version 8.5.4	Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15	Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6	Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15	Oracle Policy Automation
Oracle Retail Customer Insights, versions 15.0, 16.0	Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, version 17.0	Retail Applications
Oracle Retail Integration Bus, versions 15.0, 16.0	Retail Applications
Oracle Retail Xstore Office, version 7.1	Retail Applications
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0	Retail Applications
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
Oracle SOA Suite, version 12.2.1.3.0	Fusion Middleware
Oracle Solaris, versions 10, 11	Systems
Oracle Virtual Directory, version 11.1.1.9.0	Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14	Virtualization
Oracle Web Services, version 12.2.1.3.0	Fusion Middleware
Oracle WebCenter Portal, version 12.2.1.3.0	Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0	Fusion Middleware
PeopleSoft Enterprise HCM Human Resources, version 9.2	PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57	PeopleSoft
PeopleSoft Enterprise SCM eProcurement, version 9.2	PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8	Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13	Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8	Oracle Construction and Engineering Suite
Siebel Applications, versions 19.8 and prior	Siebel

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.

NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA).

A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.