Oracle Update
2686Warning Date
Severity Level
Warning Number
Target Sector
21 October, 2020
● Critical
2020-1960
All
Description:
Oracle has released a security update to address several vulnerabilities in the following products:
- Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0
- Big Data Spatial and Graph, versions prior to 3.0
- Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0
- Enterprise Manager for Peoplesoft, version 13.4.1.1
- Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0
- Enterprise Manager Ops Center, version 12.4.0.0
- Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090
- Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090
- Hyperion Analytic Provider Services, version 11.1.2.4
- Hyperion BI+, version 11.1.2.4
- Hyperion Essbase, version 11.1.2.4
- Hyperion Infrastructure Technology, version 11.1.2.4
- Hyperion Lifecycle Management, version 11.1.2.4
- Hyperion Planning, version 11.1.2.4
- Identity Manager Connector, version 9.0
- Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
- Management Pack for Oracle GoldenGate, version 12.2.1.2.0
- MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
- MySQL Enterprise Monitor, versions 8.0.21 and prior
- MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
- MySQL Workbench, versions 8.0.21 and prior
- Oracle Access Manager, version 11.1.2.3.0
- Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
- Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0
- Oracle Application Express, versions prior to 20.2
- Oracle Application Testing Suite, version 13.3.0.1
- Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0
- Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
- Oracle Banking Payments, versions 14.1.0-14.4.0
- Oracle Banking Platform, versions 2.4.0-2.10.0
- Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1
- Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0
- Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0
- Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2
- Oracle Communications EAGLE Software, versions 46.6.0-46.8.2
- Oracle Communications Element Manager, versions 8.2.0-8.2.2
- Oracle Communications Evolved Communications Application Server, version 7.1
- Oracle Communications Messaging Server, version 8.1
- Oracle Communications Offline Mediation Controller, version 12.0.0.3.0
- Oracle Communications Services Gatekeeper, version 7
- Oracle Communications Session Border Controller, versions 8.2-8.4
- Oracle Communications Session Report Manager, versions 8.2.0-8.2.2
- Oracle Communications Session Route Manager, versions 8.2.0-8.2.2
- Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0
- Oracle Communications WebRTC Session Controller, version 7.2
- Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
- Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
- Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
- Oracle Endeca Information Discovery Integrator, version 3.2.0
- Oracle Endeca Information Discovery Studio, version 3.2.0
- Oracle Enterprise Repository, version 11.1.1.7.0
- Oracle Enterprise Session Border Controller, version 8.4
- Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
- Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0
- Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0
- Oracle Financial Services Balance Sheet Planning, version 8.0.8
- Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0
- Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0
- Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0
- Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9
- Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0
- Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0
- Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0
- Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0
- Oracle Financial Services Liquidity Risk Management, version 8.0.6
- Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0
- Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0
- Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0
- Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7
- Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0
- Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0
- Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9
- Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0
- Oracle Financial Services Retail Customer Analytics, version 8.0.6
- Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0
- Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3
- Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
- Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0
- Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0
- Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0
- Oracle Health Sciences Empirica Signal, version 9.0
- Oracle Healthcare Data Repository, version 7.0.1
- Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0
- Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
- Oracle Hospitality Materials Control, version 18.1
- Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6
- Oracle Hospitality Reporting and Analytics, version 9.1.0
- Oracle Hospitality RES 3700, version 5.7
- Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2
- Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.15
- Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Insurance Accounting Analyzer, version 8.0.9
- Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0
- Oracle Insurance Data Foundation, versions 8.0.6-8.1.0
- Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0
- Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0
- Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
- Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15
- Oracle Java SE Embedded, version 8u261
- Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Outside In Technology, versions 8.5.4, 8.5.5
- Oracle Policy Automation, versions 12.2.0-12.2.20
- Oracle Policy Automation Connector for Siebel, version 10.4.6
- Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20
- Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1
- Oracle Retail Advanced Inventory Planning, version 14.1
- Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0
- Oracle Retail Back Office, versions 14.0, 14.1
- Oracle Retail Central Office, versions 14.0, 14.1
- Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0
- Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0
- Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3
- Oracle Retail Point-of-Service, versions 14.0, 14.1
- Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0
- Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
- Oracle Retail Returns Management, versions 14.0, 14.1
- Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
- Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
- Oracle Solaris, versions 10, 11
- Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0
- Oracle Transportation Management, version 6.3.7
- Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
- Oracle VM VirtualBox, versions prior to 6.1.16
- Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle ZFS Storage Appliance Kit, version 8.8
- PeopleSoft Enterprise HCM Global Payroll Core, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
- PeopleSoft Enterprise SCM eSupplier Connection, version 9.2
- Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8
- Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
- Siebel Applications, versions 20.7, 20.8
Threats:
Attacker could exploit these vulnerabilities by doing the following:
- Denial of service attack (DoS)
- Execute arbitrary code
- Code injection -remotely
Best practice and Recommendations:
The CERT team encourages users to review Oracle security advisory and apply the necessary updates: