Flertalet kritiska sårbarheter i Oracle-produkter

Oracle har släppt 219 stycken säkerhetsuppdateringar för 72 olika produkter [1]. Av dessa har 19 stycken ett CVSS-värde 9.0 eller högre och kan därför klassas som kritiska.

Sårbarheterna möjliggör bl.a. fjärrexekvering av godtycklig kod utan autenticering [2].

Sårbara versioner

Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4
Diagnostic Assistant, version 2.12.36
Enterprise Manager Base Platform, versions 13.2, 13.3
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071
Hyperion Data Relationship Management, version 11.1.2.4
Hyperion Enterprise Performance Management Architect, version 11.1.2.4
Hyperion Financial Reporting, version 11.1.2.4
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
JD Edwards EnterpriseOne Tools, version 4.0.1.0
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0
MICROS Retail XBRi Loss Prevention, version 10.8.3
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior
MySQL Enterprise Monitor, versions 8.0.17 and prior
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior
MySQL Workbench, versions 8.0.17 and prior
Oracle Agile PLM, versions 9.3.3-9.3.6
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0
Oracle API Gateway, version 11.1.2.4.0
Oracle Application Testing Suite, versions 13.2, 13.3
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
Oracle Clusterware, version 19.0.0.0.0
Oracle Data Integrator, version 12.2.1.3.0
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9
Oracle Enterprise Repository, version 12.1.3.0.0
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
Oracle Forms, version 12.2.1.3.0
Oracle GoldenGate Application Adapters, version 12.3.2.1.0
Oracle GraalVM Enterprise Edition, version 19.2.0
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1
Oracle Hospitality Cruise Dining Room Management, version 8.0.80
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
Oracle Hospitality Materials Control, version 18.1
Oracle Hospitality Reporting and Analytics, version 9.1.0
Oracle Hospitality RES 3700, version 5.7
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13
Oracle Java SE Embedded, version 8u221
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0
Oracle NoSQL Database, versions prior to 19.3.12
Oracle Outside In Technology, version 8.5.4
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15
Oracle Policy Automation Connector for Siebel, version 10.4.6
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15
Oracle Retail Customer Insights, versions 15.0, 16.0
Oracle Retail Customer Management and Segmentation Foundation, version 17.0
Oracle Retail Integration Bus, versions 15.0, 16.0
Oracle Retail Xstore Office, version 7.1
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
Oracle SOA Suite, version 12.2.1.3.0
Oracle Solaris, versions 10, 11
Oracle Virtual Directory, version 11.1.1.9.0
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14
Oracle Web Services, version 12.2.1.3.0
Oracle WebCenter Portal, version 12.2.1.3.0
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
PeopleSoft Enterprise HCM Human Resources, version 9.2
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57
PeopleSoft Enterprise SCM eProcurement, version 9.2
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8
Primavera P6 Ent. Project Portfolio Mgmt, ver. 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8
Siebel Applications, versions 19.8 and prior

Sårbarheterna har som högst 10 på den 10-gradiga CVSS 3.0 "Base Metrics"-skalan.

Rekommendationer

CERT-SE rekommenderar att snarast möjligt inventera och uppdatera drabbade system snarast.

Källor

[1] https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
[2] https://www.oracle.com/technetwork/security-advisory/cpuoct2019verbose-5072833.html#HOSP