Oracle Quarterly Critical Patches Issued October 20, 2020

DESCRIPTION
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEM AFFECTED
    • Application Performance Management (APM), versions 13.3.0.0, 13.4.0.0
    • Big Data Spatial and Graph, versions prior to 3.0
    • Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0
    • Enterprise Manager for Peoplesoft, version 13.4.1.1
    • Enterprise Manager for Storage Management, versions 13.3.0.0, 13.4.0.0
    • Enterprise Manager Ops Center, version 12.4.0.0
    • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2362, prior to XCP3090
    • Fujitsu M12-1, M12-2, M12-2S Servers, versions prior to XCP3090
    • Hyperion Analytic Provider Services, version 11.1.2.4
    • Hyperion BI+, version 11.1.2.4
    • Hyperion Essbase, version 11.1.2.4
    • Hyperion Infrastructure Technology, version 11.1.2.4
    • Hyperion Lifecycle Management, version 11.1.2.4
    • Hyperion Planning, version 11.1.2.4
    • Identity Manager Connector, version 9.0
    • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
    • Management Pack for Oracle GoldenGate, version 12.2.1.2.0
    • MySQL Cluster, versions 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior
    • MySQL Enterprise Monitor, versions 8.0.21 and prior
    • MySQL Server, versions 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior
    • MySQL Workbench, versions 8.0.21 and prior
    • Oracle Access Manager, version 11.1.2.3.0
    • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
    • Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0
    • Oracle Application Express, versions prior to 20.2
    • Oracle Application Testing Suite, version 13.3.0.1
    • Oracle Banking Corporate Lending, versions 12.3.0, 14.0.0-14.4.0
    • Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1, 19.2, 20.1
    • Oracle Banking Payments, versions 14.1.0-14.4.0
    • Oracle Banking Platform, versions 2.4.0-2.10.0
    • Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
    • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
    • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
    • Oracle Communications Application Session Controller, versions 3.8m0, 3.9m0p1
    • Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0
    • Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0
    • Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2
    • Oracle Communications EAGLE Software, versions 46.6.0-46.8.2
    • Oracle Communications Element Manager, versions 8.2.0-8.2.2
    • Oracle Communications Evolved Communications Application Server, version 7.1
    • Oracle Communications Messaging Server, version 8.1
    • Oracle Communications Offline Mediation Controller, version 12.0.0.3.0
    • Oracle Communications Services Gatekeeper, version 7
    • Oracle Communications Session Border Controller, versions 8.2-8.4
    • Oracle Communications Session Report Manager, versions 8.2.0-8.2.2
    • Oracle Communications Session Route Manager, versions 8.2.0-8.2.2
    • Oracle Communications Unified Inventory Management, versions 7.3.0, 7.4.0
    • Oracle Communications WebRTC Session Controller, version 7.2
    • Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0
    • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
    • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
    • Oracle Endeca Information Discovery Integrator, version 3.2.0
    • Oracle Endeca Information Discovery Studio, version 3.2.0
    • Oracle Enterprise Repository, version 11.1.1.7.0
    • Oracle Enterprise Session Border Controller, version 8.4
    • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
    • Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.6-8.0.8, 8.1.0
    • Oracle Financial Services Asset Liability Management, versions 8.0.6, 8.0.7, 8.1.0
    • Oracle Financial Services Balance Sheet Planning, version 8.0.8
    • Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.6-8.0.8, 8.1.0
    • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.6-8.0.8, 8.1.0
    • Oracle Financial Services Data Foundation, versions 8.0.6-8.1.0
    • Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.0.6-8.0.9
    • Oracle Financial Services Data Integration Hub, versions 8.0.6, 8.0.7, 8.1.0
    • Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0
    • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.6-8.0.8, 8.1.0
    • Oracle Financial Services Institutional Performance Analytics, versions 8.0.6, 8.0.7, 8.1.0, 8.7.0
    • Oracle Financial Services Liquidity Risk Management, version 8.0.6
    • Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8, 8.1.0
    • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.6-8.0.8, 8.1.0
    • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.6, 8.0.8, 8.1.0
    • Oracle Financial Services Price Creation and Discovery, versions 8.0.6, 8.0.7
    • Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0
    • Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6-8.1.0
    • Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.6-8.0.9
    • Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.2.0
    • Oracle Financial Services Retail Customer Analytics, version 8.0.6
    • Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.5.0-11.7.0
    • Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3
    • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
    • Oracle FLEXCUBE Universal Banking, versions 12.3.0, 14.0.0-14.4.0
    • Oracle GoldenGate Application Adapters, versions 12.3.2.1.0, 19.1.0.0.0
    • Oracle GraalVM Enterprise Edition, versions 19.3.3, 20.2.0
    • Oracle Health Sciences Empirica Signal, version 9.0
    • Oracle Healthcare Data Repository, version 7.0.1
    • Oracle Healthcare Foundation, versions 7.1.1, 7.2.0, 7.2.1, 7.3.0
    • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
    • Oracle Hospitality Materials Control, version 18.1
    • Oracle Hospitality OPERA 5 Property Services, versions 5.5, 5.6
    • Oracle Hospitality Reporting and Analytics, version 9.1.0
    • Oracle Hospitality RES 3700, version 5.7
    • Oracle Hospitality Simphony, versions 18.1, 18.2, 19.1.0-19.1.2
    • Oracle Hospitality Suite8, versions 8.10.2, 8.11-8.15
    • Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
    • Oracle Insurance Accounting Analyzer, version 8.0.9
    • Oracle Insurance Allocation Manager for Enterprise Profitability, versions 8.0.8, 8.1.0
    • Oracle Insurance Data Foundation, versions 8.0.6-8.1.0
    • Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.0-5.6.0.0, 5.6.1.0
    • Oracle Insurance Policy Administration J2EE, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0
    • Oracle Insurance Rules Palette, versions 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26
    • Oracle Java SE, versions 7u271, 8u261, 11.0.8, 15
    • Oracle Java SE Embedded, version 8u261
    • Oracle JDeveloper, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
    • Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
    • Oracle Outside In Technology, versions 8.5.4, 8.5.5
    • Oracle Policy Automation, versions 12.2.0-12.2.20
    • Oracle Policy Automation Connector for Siebel, version 10.4.6
    • Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.20
    • Oracle REST Data Services, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1
    • Oracle Retail Advanced Inventory Planning, version 14.1
    • Oracle Retail Assortment Planning, versions 15.0.3.0, 16.0.3.0
    • Oracle Retail Back Office, versions 14.0, 14.1
    • Oracle Retail Bulk Data Integration, versions 15.0.3.0, 16.0.3.0
    • Oracle Retail Central Office, versions 14.0, 14.1
    • Oracle Retail Customer Management and Segmentation Foundation, versions 18.0, 19.0
    • Oracle Retail Integration Bus, versions 14.1, 15.0, 16.0
    • Oracle Retail Order Broker, versions 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3
    • Oracle Retail Point-of-Service, versions 14.0, 14.1
    • Oracle Retail Predictive Application Server, versions 14.1.3.0, 15.0.3.0, 16.0.3.0
    • Oracle Retail Price Management, versions 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0
    • Oracle Retail Returns Management, versions 14.0, 14.1
    • Oracle Retail Service Backbone, versions 14.1, 15.0, 16.0
    • Oracle Retail Xstore Point of Service, versions 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1
    • Oracle Solaris, versions 10, 11
    • Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0
    • Oracle Transportation Management, version 6.3.7
    • Oracle Utilities Framework, versions 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0
    • Oracle VM VirtualBox, versions prior to 6.1.16
    • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
    • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
    • Oracle ZFS Storage Appliance Kit, version 8.8
    • PeopleSoft Enterprise HCM Global Payroll Core, version 9.2
    • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
    • PeopleSoft Enterprise SCM eSupplier Connection, version 9.2
    • Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.8
    • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12
    • Siebel Applications, versions 20.7, 20.8

RECOMMENDATIONS

Following actions are recommended to be taken:

    • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
    • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
    • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
    • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
    • Apply the Principle of Least Privilege to all systems and services.

REFERENCES
https://www.oracle.com/security-alerts/cpuoct2020.html
https://www.cisecurity.org/advisory/oracle-quarterly-critical-patches-issued-october-20-2020_2020-144/

Share