Oracle Quarterly Critical Patches Issued January 17th, 2023
ITS ADVISORY NUMBER:
2023-007
DATE(S) ISSUED:
01/17/2023
SUBJECT:
Oracle Quarterly Critical Patches Issued January 17, 2023
OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
SYSTEMS AFFECTED:
- Big Data Spatial and Graph, versions prior to 21.4.3, prior to 23.1.0
- Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
- Enterprise Manager Ops Center, version 12.4.0.0
- Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2411, prior to XCP3111, prior to XCP4011
- GoldenGate Stream Analytics, versions prior to 19.1.0.0.8
- GoldenGate Veridata, versions prior to 12.2.1.4.220831
- JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.2
- JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.2
- Management Cloud Engine, version 22.1.0.0.0
- Management Pack for Oracle GoldenGate, versions prior to 12.2.1.2.221115
- Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.1.0.0
- MySQL Cluster, versions 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior, 8.0.31 and prior
- MySQL Connectors, versions 8.0.31 and prior
- MySQL Enterprise Monitor, versions 8.0.32 and prior
- MySQL Server, versions 5.7.40 and prior, 8.0.31 and prior
- MySQL Workbench, versions 8.0.31 and prior
- Oracle Access Manager, version 12.2.1.4.0
- Oracle Agile PLM, version 9.3.6
- Oracle AutoVue, versions prior to 21.0.2.6
- Oracle Banking Enterprise Default Management, versions 2.6.2, 2.7.0, 2.7.1, 2.12.0
- Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0
- Oracle Banking Party Management, version 2.7.0
- Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0
- Oracle BI Publisher, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
- Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0
- Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce Guided Search, version 11.3.2
- Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
- Oracle Communications BRM - Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
- Oracle Communications Calendar Server, version 8.0.0.6.0
- Oracle Communications Cloud Native Core Automated Test Suite, versions 22.2.2, 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.0, 22.1.1, 22.2.0, 22.2.1, 22.2.2, 22.2.4, 22.3.0-22.4.0
- Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Network Data Analytics Function, version 22.0.0.0.0
- Oracle Communications Cloud Native Core Network Exposure Function, versions 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.3.0
- Oracle Communications Cloud Native Core Network Repository Function, versions 22.3.0, 22.3.2
- Oracle Communications Cloud Native Core Network Slice Selection Function, versions 22.3.1, 22.4.1
- Oracle Communications Cloud Native Core Policy, versions 1.11.0, 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Unified Data Repository, versions 22.2.2, 22.2.3, 22.3.3, 22.3.4, 22.4.0
- Oracle Communications Contacts Server, version 8.0.0.7.0
- Oracle Communications Converged Application Server, versions 7.1.0, 8.0.0
- Oracle Communications Convergence, version 3.0.3.1.0
- Oracle Communications Design Studio, version 7.4.2
- Oracle Communications Diameter Intelligence Hub, version 8.2.3.0
- Oracle Communications Diameter Signaling Router, version 8.6.0.0
- Oracle Communications Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0
- Oracle Communications Instant Messaging Server, version 10.0.1.6.0
- Oracle Communications Messaging Server, version 8.1.0.20.0
- Oracle Communications MetaSolv Solution, version 6.3.1
- Oracle Communications Order and Service Management, version 7.4.0
- Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.4.1
- Oracle Communications Pricing Design Center, versions 12.0.0.5.0-12.0.0.7.0
- Oracle Communications Unified Assurance, versions 5.5.0-5.5.9, 6.0.0-6.0.1
- Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0
- Oracle Database Server, versions 19c, 21c, [Perl] prior to 5.35
- Oracle Demantra Demand Management, versions 12.1, 12.2, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12
- Oracle Documaker, versions 12.4.0-12.7.0
- Oracle E-Business Suite, versions 12.2.3-12.2.12
- Oracle Essbase, version 21.4
- Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.1
- Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
- Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.11
- Oracle GraalVM Enterprise Edition, versions 20.3.8, 21.3.4, 22.3.0 Java SE
- Oracle Graph Server and Client, versions prior to 21.4.3, prior to 22.4.0, prior to 23.1.0
- Oracle Healthcare Data Repository, versions 8.1.0.0-8.1.3.1
- Oracle Healthcare Translational Research, versions 4.1.0.0-4.1.1.1
- Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.2
- Oracle Hospitality Gift and Loyalty, version 9.1.0 Oracle
- Oracle Hospitality Labor Management, version 9.1.0 Oracle
- Oracle Hospitality Reporting and Analytics, version 9.1.0
- Oracle Hospitality Simphony, versions 18.2.11, 19.3.4
- Oracle HTTP Server, version 12.2.1.4.0
- Oracle Hyperion Infrastructure Technology, version 11.2.10
- Oracle Java SE, versions 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1
- Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
- Oracle Outside In Technology, version 8.5.6
- Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3
- Oracle SD-WAN Aware, versions 8.2.1.9.0, 9.0.1.4.0
- Oracle Solaris, versions 10, 11
- Oracle Spatial Studio, versions prior to 22.3.0
- Oracle Stream Analytics, versions prior to 19.1.0.0.8
- Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.65
- Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
- Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0-2.5.0.2
- Oracle VM VirtualBox, versions prior to 6.1.42, prior to 7.0.6
- Oracle Web Services Manager, version 12.2.1.4.0
- Oracle WebCenter Content, version 12.2.1.4.0
- Oracle WebCenter Sites, version 12.2.1.4.0
- Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- OSS Support Tools, versions 2.12.43, 22.2.22.4.5, 22.4.22.10.18
- PeopleSoft Enterprise CC Common Application Objects, version 9.2
- PeopleSoft Enterprise CS Academic Advisement, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
- Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10, 21.12.0-21.12.8
- Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12, 22.12
- Siebel Applications, versions 22.10 and prior
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Low
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
REFERENCES:
Oracle:
https://www.oracle.com/security-alerts/cpujan2023.html