Oracle Quarterly Critical Patches Issued January 18, 2022

ITS ADVISORY NUMBER: 

2022-009

DATE(S) ISSUED: 

Wednesday, January 19, 2022

SUBJECT: 

Oracle Quarterly Critical Patches Issued January 18, 2022

OVERVIEW: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED: 

  • Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, version 3.6
  • Application Performance Management, versions 13.4.1.0, 13.5.1.0
  • Big Data Spatial and Graph, versions prior to 23.1
  • Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2410, prior to XCP3110
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.6.1
  • MySQL Cluster, versions 7.4.34 and prior, 7.5.24 and prior, 7.6.20 and prior, 8.0.27 and prior
  • MySQL Connectors, versions 8.0.27 and prior
  • MySQL Server, versions 5.7.36 and prior, 8.0.27 and prior
  • MySQL Workbench, versions 8.0.27 and prior
  • Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Agile Engineering Data Management, version 6.2.1.0
  • Oracle Agile PLM, versions 9.3.3, 9.3.6
  • Oracle Agile PLM MCAD Connector, versions 3.4, 3.6
  • Oracle Airlines Data Model, versions 12.1.1.0.0, 12.2.0.1.0
  • Oracle Application Express, versions prior to 21.1.4
  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Argus Analytics, versions 8.2.1, 8.2.2, 8.2.3
  • Oracle Argus Insight, versions 8.2.1, 8.2.2, 8.2.3
  • Oracle Argus Mart, versions 8.2.1, 8.2.2, 8.2.3
  • Oracle Argus Safety, versions 8.2.1, 8.2.2, 8.2.3
  • Oracle Banking APIs, versions 18.1-18.3, 19.1, 19.2, 20.1, 21.1
  • Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0
  • Oracle Banking Digital Experience, versions 17.2, 18.1-18.3, 19.1, 19.2, 20.1, 21.1
  • Oracle Banking Enterprise Default Management, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.10.0, 2.12.0
  • Oracle Banking Loans Servicing, version 2.12.0
  • Oracle Banking Party Management, version 2.7.0
  • Oracle Banking Platform, versions 2.3.0-2.4.1, 2.6.2, 2.7.0, 2.7.1
  • Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Activity Monitoring, versions 12.2.1.4.0, 12.2.1.5.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 5.9.0.0.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Clinical, versions 5.2.1, 5.2.2
  • Oracle Commerce Guided Search, version 11.3.2
  • Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
  • Oracle Communications Billing and Revenue Management, versions 12.0.0.3, 12.0.0.4
  • Oracle Communications BRM - Elastic Charging Engine, versions 11.3, 12.0
  • Oracle Communications Calendar Server, version 8.0.0.5.0
  • Oracle Communications Cloud Native Core Automated Test Suite, version 1.8.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 1.9.0, 1.10.0
  • Oracle Communications Cloud Native Core Console, version 1.7.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 1.9.0
  • Oracle Communications Cloud Native Core Network Repository Function, version 1.14.0
  • Oracle Communications Cloud Native Core Policy, version 1.14.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 1.5.0, 1.6.0, 1.15.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, version 1.14.0
  • Oracle Communications Cloud Native Core Unified Data Repository, version 1.14.0
  • Oracle Communications Contacts Server, version 8.0.0.3.0
  • Oracle Communications Convergence, version 3.0.2.2.0
  • Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
  • Oracle Communications Data Model, versions 11.3.2.1.0, 11.3.2.2.0, 11.3.2.3.0, 12.1.0.1.0, 12.1.2.0.0
  • Oracle Communications Design Studio, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2
  • Oracle Communications Diameter Signaling Router, versions 8.0.0.0-8.5.1.0
  • Oracle Communications EAGLE Application Processor, versions 16.1-16.4
  • Oracle Communications Instant Messaging Server, version 10.0.1.5.0
  • Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
  • Oracle Communications Messaging Server, version 8.1
  • Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.4.0.0
  • Oracle Communications Network Integrity, versions 7.3.5, 7.3.6
  • Oracle Communications Offline Mediation Controller, version 12.0.0.3
  • Oracle Communications Operations Monitor, versions 3.4, 4.2, 4.3, 4.4, 5.0
  • Oracle Communications Pricing Design Center, versions 12.0.0.3.0, 12.0.0.4.0
  • Oracle Communications Service Broker, version 6.2
  • Oracle Communications Services Gatekeeper, version 7.0
  • Oracle Communications Session Border Controller, versions 8.2, 8.3, 8.4, 9.0
  • Oracle Communications Unified Inventory Management, versions 7.3.0, 7.3.4, 7.3.5, 7.4.0, 7.4.1, 7.4.2, 7.5.0
  • Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
  • Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 19c, 21c
  • Oracle Demantra Demand Management, versions 12.2.6-12.2.11
  • Oracle E-Business Suite, versions 12.2.3-12.2.11
  • Oracle Enterprise Communications Broker, version 3.3
  • Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Enterprise Session Border Controller, versions 8.4, 9.0
  • Oracle Essbase, versions prior to 11.1.2.4.47, prior to 21.3
  • Oracle Essbase Administration Services, versions prior to 11.1.2.4.47
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7-8.1.1
  • Oracle Financial Services Behavior Detection Platform, versions 8.0.7, 8.0.8, 8.1.1
  • Oracle Financial Services Enterprise Case Management, versions 8.0.7, 8.0.8, 8.1.1
  • Oracle Financial Services Foreign Account Tax Compliance Act Management, versions 8.0.7, 8.0.8, 8.1.1
  • Oracle Financial Services Model Management and Governance, versions 8.0.8-8.1.1
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7, 8.0.8
  • Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.4.0, 14.5.0
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle Fusion Middleware, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle GoldenGate, versions prior to 12.3.0.1, prior to 19.1.0.0.220118, prior to 21.4.0.0.0, prior to 21.5.0.0.220118
  • Oracle GraalVM Enterprise Edition, versions 20.3.4, 21.3.0
  • Oracle Graph Server and Client, versions prior to 21.4
  • Oracle Health Sciences Clinical Development Analytics, version 4.0.1
  • Oracle Health Sciences InForm CRF Submit, version 6.2.1
  • Oracle Health Sciences Information Manager, versions 3.0.2, 3.0.3
  • Oracle Healthcare Data Repository, versions 7.0.2, 8.1.0, 8.1.1
  • Oracle Healthcare Foundation, versions 7.3.0.0-7.3.0.2, 8.0.0-8.0.2, 8.1.0-8.1.1
  • Oracle Healthcare Translational Research, version 4.1.0
  • Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
  • Oracle Hospitality OPERA 5, version 5.6
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
  • Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0, 12.2.1.5.0
  • Oracle Hyperion Infrastructure Technology, version 11.2.7.0
  • Oracle iLearning, versions 6.2, 6.3
  • Oracle Insurance Data Gateway, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
  • Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.0
  • Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0, 11.2.7, 11.3.0, 11.3.1
  • Oracle Insurance Policy Administration J2EE, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0
  • Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0, 11.3.1
  • Oracle Java SE, versions 7u321, 8u311, 11.0.13, 17.1
  • Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle NoSQL Database, versions prior to 21.1.12
  • Oracle Policy Automation, versions 12.2.0-12.2.24
  • Oracle Product Lifecycle Analytics, version 3.6.1
  • Oracle Rapid Planning, versions 12.2.6-12.2.11
  • Oracle Real User Experience Insight, versions 13.4.1.0, 13.5.1.0
  • Oracle REST Data Services, versions prior to 21.2.4
  • Oracle Retail Allocation, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
  • Oracle Retail Analytics, version 21.0.1
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail Customer Insights, version 21.0.1
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0
  • Oracle Retail EFTLink, versions 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.1
  • Oracle Retail Extract Transform and Load, version 13.2.8
  • Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
  • Oracle Retail Fiscal Management, version 14.2
  • Oracle Retail Integration Bus, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
  • Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
  • Oracle Retail Merchandising System, version 19.0.1
  • Oracle Retail Order Broker, versions 16.0, 18.0, 19.1
  • Oracle Retail Order Management System, version 19.5
  • Oracle Retail Point-of-Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1.3, 14.1.3.46, 15.0.3, 15.0.3.115, 16.0.3, 16.0.3.240
  • Oracle Retail Price Management, versions 13.2, 14.0.4, 14.1, 14.1.3, 15, 15.0.3, 16, 16.0.3
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Service Backbone, versions 14.1.3.0, 14.1.3.2, 15.0.3.1, 16.0.1-16.0.3, 19.0.0, 19.0.1
  • Oracle Retail Size Profile Optimization, version 16.0.3
  • Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1
  • Oracle SD-WAN Aware, version 8.2
  • Oracle SD-WAN Edge, versions 9.0, 9.1
  • Oracle Secure Backup, versions prior to 18.1.0.1.0
  • Oracle Solaris, versions 10, 11
  • Oracle Spatial Studio, versions prior to 21.2.1
  • Oracle Thesaurus Management System, versions 5.2.3, 5.3.0, 5.3.1
  • Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.27, prior to 21.1.1.1.0
  • Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
  • Oracle Utilities Testing Accelerator, versions 6.0.0.1.1, 6.0.0.2.2, 6.0.0.3.1
  • Oracle VM VirtualBox, versions prior to 6.1.32
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • Oracle ZFS Storage Application Integration Engineering Software, version 1.3.3
  • OSS Support Tools, versions prior to 2.12.42
  • PeopleSoft Enterprise CS SA Integration Pack, versions 9.0, 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59
  • Primavera Analytics, versions 18.8.3.3, 19.12.11.1, 20.12.12.0
  • Primavera Data Warehouse, versions 18.8.3.3, 19.12.11.1, 20.12.12.0
  • Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.13, 19.12.0-19.12.12, 20.12.0-20.12.7, 21.12.0
  • Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.18.0, 20.12.0.0-20.12.12.0, 21.12.0.0
  • Primavera P6 Professional Project Management, versions 17.12.0.0-17.12.20.0, 18.8.0.0-18.8.24.0, 19.12.0.0-19.12.17.0, 20.12.0.0-20.12.9.0
  • Primavera Portfolio Management, versions 18.0.0.0-18.0.3.0, 19.0.0.0-19.0.1.2, 20.0.0.0, 20.0.0.1
  • Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12
  • Siebel Applications, versions 21.11 and prior

RISK:

Government:

Large and medium government entities: High

Small government entities: High

Business:

Large and medium business entities: High

Small business entities: High

Home Users: Low

DESCRIPTION: None

ACTIONS: 

  • After appropriate testing, immediately apply patches or mitigations provided by Oracle to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources
  • Apply the Principle of Least Privilege to all systems and services. 

REFERENCES: 

Oracle:
https://www.oracle.com/security-alerts/cpujan2022.html