Oracle Quarterly Critical Patches Issued January 16, 2018

ITS Advisory Number: 
2018-005
Date(s) Issued: 
Wednesday, January 17, 2018
Subject: 
Oracle Quarterly Critical Patches Issued January 16, 2018
Overview: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

Systems Affected: 
  • Agile Material and Equipment Management for Pharmaceuticals, versions 9.3.3, 9.3.4
  • Application Express, versions prior to 5.1.4.00.08
  • Converged Commerce, version 16.0.1
  • Hyperion BI+, version 11.1.2.4
  • Hyperion Data Relationship Management, version 11.1.2.4.330
  • Integrated Lights Out Manager (ILOM), versions 3.x, 4.x
  • Java Advanced Management Console, version 2.8
  • Java ME SDK, version 8.3
  • JD Edwards EnterpriseOne Tools, version 9.2
  • MICROS Handheld Terminal, versions Prior to BSP 02.13.0701 (070116)
  • MICROS Relate CRM Software, versions 10.8.x, 11.4.x, 15.0.x
  • MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • MySQL Connectors, versions 5.3.9 and prior, 6.9.9 and prior, 6.10.4 and prior
  • MySQL Enterprise Monitor, versions 3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior
  • MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
  • Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0
  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
  • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
  • Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6
  • Oracle Argus Safety, versions 7.x, 8.0.x, 8.1
  • Oracle Autovue for Agile Product Lifecycle Management, versions 21.0.0, 21.0.1
  • Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0
  • Oracle Banking Payments, versions 12.3.0, 12.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Communications Application Session Controller, version 3.x
  • Oracle Communications BRM - Elastic Charging Engine, version 7.5
  • Oracle Communications Convergent Charging Controller, version 6.0
  • Oracle Communications Network Charging and Control, version 6.0
  • Oracle Communications Order and Service Management, versions 7.2.4.1.x, 7.2.4.2.x, 7.3.0.1.x, 7.3.0.x.x
  • Oracle Communications Services Gatekeeper, versions 5.1, 6.0
  • Oracle Communications Unified Inventory Management, versions 7.2.4.2.x, 7.3
  • Oracle Communications User Data Repository, versions 10.x, 12.x
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
  • Oracle Directory Server Enterprise Edition, version 11.1.1.7.0
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
  • Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.5.x, 8.0.x
  • Oracle Financial Services Analytical Applications Reconciliation Framework, version 8.0.x
  • Oracle Financial Services Asset Liability Management, versions 6.1.x, 8.0.x
  • Oracle Financial Services Balance Sheet Planning, version 8.0.x
  • Oracle Financial Services Funds Transfer Pricing, versions 6.1.x, 8.0.x
  • Oracle Financial Services Hedge Management and IFRS Valuations, version 8.0.x
  • Oracle Financial Services Liquidity Risk Management, version 8.0.x
  • Oracle Financial Services Loan Loss Forecasting and Provisioning, version 8.0.x
  • Oracle Financial Services Market Risk, version 8.0.x
  • Oracle Financial Services Market Risk Measurement and Management, version 8.0.5
  • Oracle Financial Services Price Creation and Discovery, version 8.0.5
  • Oracle Financial Services Profitability Management, versions 6.1.x, 8.0.x
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
  • Oracle Fusion Applications, versions 11.1.2 through 11.1.9
  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
  • Oracle Health Sciences Empirica Inspections, version 1.0.1.1
  • Oracle Health Sciences Empirica Signal, version 8.0.1.0
  • Oracle Hospitality Cruise Dining Room Management, version 8.0.78
  • Oracle Hospitality Cruise Fleet Management, version 9.0.4.0
  • Oracle Hospitality Cruise Shipboard Property Management System, version 7.3.874
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Labor Management, versions 8.5.1, 9.0.0
  • Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
  • Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9
  • Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Hyperion Planning, version 11.1.2.4.007
  • Oracle Identity Manager, version 11.1.2.3.0
  • Oracle Identity Manager Connector, versions 9.0.4.20.6, 9.0.4.21.0, 9.0.4.25.4
  • Oracle Internet Directory, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0
  • Oracle iPlanet Web Server, version 7.0
  • Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1
  • Oracle Java SE Embedded, version 8u151
  • Oracle JDeveloper, versions 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0
  • Oracle JRockit, version R28.3.16
  • Oracle Mobile Security Suite, version 3.0.1
  • Oracle Retail Assortment Planning, versions 14.1.3, 15.0.3, 16.0.1
  • Oracle Retail Convenience and Fuel POS Software, version 2.1.132
  • Oracle Retail Customer Management and Segmentation Foundation, versions 10.8.x, 11.4.x, 15.0.x, 16.0.x
  • Oracle Retail Fiscal Management, version 14.1
  • Oracle Retail Merchandising System, version 16.0
  • Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
  • Oracle Secure Global Desktop (SGD), version 5.3
  • Oracle Transportation Management, versions 6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3
  • Oracle Tuxedo System and Applications Monitor, version 12.1.3.0.0
  • Oracle VM VirtualBox, versions prior to 5.1.32, prior to 5.2.6
  • Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Sites, version 11.1.1.8.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle X86 Servers, versions SW 1.x, SW 2.x
  • OSS Support Tools, versions prior to 2.11.33
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina, version 9.1
  • PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil, version 9.1
  • PeopleSoft Enterprise FSCM, version 9.2
  • PeopleSoft Enterprise HCM Human Resources, versions 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
  • PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00
  • PeopleSoft Enterprise SCM eProcurement, versions 9.1, 9.2
  • PeopleSoft Enterprise SCM Purchasing, version 9.2
  • Primavera Unifier, versions 10.x, 15.x, 16.x, 17.x
  • Siebel Applications, versions 16.0, 17.0
  • Solaris, versions 10, 11.3
  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.13
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

Actions: 
  • After appropriate testing, immediately apply patches provided by Oracle to vulnerable systems.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.