Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution

ITS ADVISORY NUMBER:
2023-042

DATE(S) ISSUED:
04/18/2023

SUBJECT:
Oracle Quarterly Critical Patches Issued April 18, 2023

OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

 

SYSTEMS AFFECTED:

  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.3
  • JD Edwards World Security, version A9.4
  • Management Cloud Engine, version 22.1.0.0.0
  • MySQL Cluster, versions 7.5.29 and prior, 7.6.25 and prior, 8.0.32 and prior
  • MySQL Connectors, versions 8.0.32 and prior
  • MySQL Enterprise Monitor, versions 8.0.33 and prior
  • MySQL Server, versions 5.7.41 and prior, 8.0.32 and prior
  • MySQL Workbench, versions 8.0.32 and prior
  • Oracle Access Manager, version 12.2.1.4.0
  • Oracle Agile PLM, version 9.3.6
  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Argus Insight, versions prior to 8.2.3
  • Oracle Argus Safety, versions prior to 8.2.3
  • Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
  • Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7
  • Oracle Banking Corporate Lending Process Management, versions 14.4-14.7
  • Oracle Banking Digital Experience, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
  • Oracle Banking Payments, versions 14.5, 14.6, 14.7
  • Oracle Banking Trade Finance, versions 14.5, 14.6, 14.7
  • Oracle Banking Treasury Management, versions 14.5, 14.6, 14.7
  • Oracle Banking Virtual Account Management, versions 14.5, 14.6, 14.7
  • Oracle BI Publisher, versions 6.4.0.0.0, 12.2.1.4.0
  • Oracle Big Data Spatial and Graph, versions prior to 23.1
  • Oracle Blockchain Platform, versions prior to 21.1.3
  • Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
  • Oracle Business Process Management Suite, version 12.2.1.4.0
  • Oracle Clinical Remote Data Capture, version 5.4.0.2
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Guided Search, version 11.3.2
  • Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
  • Oracle Communications Cloud Native Configuration Console, versions 22.4.1, 23.1.0
  • Oracle Communications Cloud Native Core Automated Test Suite, versions 22.3.1, 22.4.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 22.4.0-22.4.4, 23.1.0-23.1.1
  • Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Network Exposure Function, versions 22.4.2, 23.1.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.4.0
  • Oracle Communications Cloud Native Core Network Repository Function, version 23.1.0
  • Oracle Communications Cloud Native Core Policy, versions 22.4.0-22.4.4, 23.1.0-23.1.1
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.4.0, 22.4.1, 22.4.2, 23.1.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.3.0, 22.4.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.1, 23.1.0
  • Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0
  • Oracle Communications Core Session Manager, versions 8.45, 9.15
  • Oracle Communications Diameter Signaling Router, version 8.6.0.0
  • Oracle Communications Element Manager, versions 9.0.0, 9.0.1
  • Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0
  • Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0
  • Oracle Communications Operations Monitor, version 5.0
  • Oracle Communications Order and Service Management, version 7.4.1
  • Oracle Communications Policy Management, version 12.6.0.0.0
  • Oracle Communications Services Gatekeeper, version 7.0.0.0.0
  • Oracle Communications Session Border Controller, versions 9.0, 9.1
  • Oracle Communications Session Report Manager, versions 9.0.0, 9.0.1
  • Oracle Communications Session Router, versions 9.0, 9.1
  • Oracle Communications Subscriber-Aware Load Balancer, versions 9.0, 9.1
  • Oracle Communications Unified Assurance, versions 5.5.0-5.5.10, 6.0.0-6.0.2
  • Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0
  • Oracle Communications User Data Repository, version 12.6.1.0.0
  • Oracle Data Integrator, version 12.2.1.4.0
  • Oracle Database Server, versions 19c, 21c
  • Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
  • Oracle E-Business Suite, versions 12.2.3-12.2.12
  • Oracle Enterprise Communications Broker, versions 3.3, 4.0
  • Oracle Enterprise Manager Ops Center, version 12.4.0.0
  • Oracle Enterprise Session Router, version 9.1
  • Oracle Essbase, version 21.4
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2
  • Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.7.1.2, 8.1.1.1.7
  • Oracle Financial Services Asset Liability Management, version 8.0.7.8.0
  • Oracle Financial Services Balance Computation Engine, version 8.1.1.1.1
  • Oracle Financial Services Balance Sheet Planning, version 8.0.8.1.4
  • Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
  • Oracle Financial Services Compliance Studio, version 8.1.2.4
  • Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.5
  • Oracle Financial Services Currency Transaction Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1
  • Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1
  • Oracle Financial Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1
  • Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1, 8.0.8.3.1
  • Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4
  • Oracle Financial Services Enterprise Financial Performance Analytics, version 8.0.7.8.1
  • Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1
  • Oracle Financial Services Institutional Performance Analytics, version 8.0.7.8.1
  • Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1
  • Oracle Financial Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0
  • Oracle Financial Services Profitability Management, version 8.0.7.8.1
  • Oracle Financial Services Regulatory Reporting, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
  • Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.1.1.2.0
  • Oracle Financial Services Retail Performance Analytics, version 8.0.7.8.1
  • Oracle Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0.0
  • Oracle FLEXCUBE Core Banking, versions 11.6, 11.7, 11.8, 11.10, 11.11
  • Oracle FLEXCUBE Universal Banking, versions 14.0-14.3, 14.5-14.7
  • Oracle GoldenGate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0
  • Oracle GoldenGate Studio, version [Fusion Middleware] 12.2.1.4.0
  • Oracle GraalVM Enterprise Edition, versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1
  • Oracle Graph Server and Client, versions prior to 23.1.0, prior to 23.2.0
  • Oracle Health Sciences InForm, versions prior to 6.3.1.3, prior to 7.0.0.1
  • Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2
  • Oracle Healthcare Master Person Index, versions 5.0.0-5.0.4
  • Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1
  • Oracle Hospitality OPERA 5 Property Services, version 5.6
  • Oracle HTTP Server, version 12.2.1.4.0
  • Oracle Hyperion Financial Reporting, version 11.2.12
  • Oracle Hyperion Infrastructure Technology, version 11.2.12
  • Oracle Identity Manager, version 12.2.1.4.0
  • Oracle iLearning, version 6.3.1
  • Oracle Insurance Policy Administration Operational Data Store for Life and Annuity, version 1.0.1.8
  • Oracle Java SE, versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20
  • Oracle JDeveloper, version 12.2.1.4.0
  • Oracle Managed File Transfer, version 12.2.1.4.0
  • Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
  • Oracle NoSQL Database, versions prior to 19.5.32
  • Oracle Outside In Technology, version 8.5.6
  • Oracle REST Data Services, versions prior to 23.1.0
  • Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6
  • Oracle Retail Fiscal Management, version 14.2
  • Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
  • Oracle Retail Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3
  • Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
  • Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3
  • Oracle Retail Sales Audit, version 15.0.3.1
  • Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4, 20.0.3, 21.0.2
  • Oracle Retail Xstore Point of Service, versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2
  • Oracle SD-WAN Aware, version 9.0.1.6.0
  • Oracle SD-WAN Edge, versions 9.1.1.3.0, 9.1.1.4.0
  • Oracle SOA Suite, version 12.2.1.4.0
  • Oracle Solaris, versions 10, 11
  • Oracle SQL Developer, versions prior to 22.4.0, prior to 23.1.0
  • Oracle TimesTen In-Memory Database, versions prior to 22.1.1.7.0
  • Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
  • Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2
  • Oracle VM VirtualBox, versions prior to 6.1.44, prior to 7.0.8
  • Oracle WebCenter Portal, version 12.2.1.4.0
  • Oracle WebCenter Sites, version 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
  • Primavera P6 Enterprise Project Portfolio Management, versions 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, 22.12.0-22.12.3
  • Primavera Unifier, versions 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, 22.12.0-22.12.3
  • Siebel Applications, versions 21.10 and prior, 22.10 and prior, 23.3 and prior

 

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

 

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
    • Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
  • Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
    • Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
    • Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
  • Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
    • Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
    • Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
  • Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
    • Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
 

REFERENCES:

https://learn.cisecurity.org/e/799323/ecurity-alerts-cpuapr2023-html/4sw3q5/903184414?h=-X82Ila109b3_fhVDFX_FPHoWCRcFrmo9qWQiKewelI