Oracle Quarterly Critical Patches Issued April 17, 2018

ITS Advisory Number: 
2018-043 - UPDATED
Date(s) Issued: 
Tuesday, April 17, 2018
Subject: 
Oracle Quarterly Critical Patches Issued April 17, 2018
Overview: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

ORIGINAL THREAT INTELLIGENCE

There are currently no reports of these vulnerabilities being exploited in the wild. There are reports of notable increases in scanning for port 7001 part of vulnerability CVE-2018-2628 affecting Oracle Web Logic.

April 30, 2018- UPDATED THREAT INTELLIGENCE

A researcher has determined that the patch for CVE-2018-2628 can be bypassed by attackers. Systems patched for this vulnerability are still vulnerable to attack. There is proof of concept code available online as well as an increase is scanning for port 7001 being open. More information is available in the updated references below.

It is recommended to block incoming traffic to port 7001 until further patches are released.

Systems Affected: 
  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0
  • Enterprise Manager for MySQL Database, version 12.1.0.4
  • Enterprise Manager for Virtualization, version 13.2
  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.3
  • Hardware Management Pack, versions prior to 2.4.3
  • Instantis EnterpriseTrack, versions 17.1, 17.2
  • Integrated Lights Out Manager (ILOM), versions 3.x, 4.x
  • JD Edwards EnterpriseOne Tools, version 9.2.2
  • JD Edwards World Security, versions A9.2, A9.3, A9.4
  • Management Pack for Oracle GoldenGate, version 11.2.1.0.13
  • MICROS Handheld Terminal, versions Prior to Fusion 2.03.0.0.021R
  • MICROS Lucas, version 2.9.5
  • MySQL Cluster, versions 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
  • MySQL Enterprise Monitor, versions 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior
  • MySQL Server, versions 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
  • Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
  • Oracle Adaptive Access Manager, version 11.1.2.3.0
  • Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
  • Oracle Agile PLM Framework, version 9.3.6
  • Oracle Agile Product Lifecycle Management for Process, versions 6.1.1.6, 6.2.0.0, 6.2.1.0
  • Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1
  • Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0
  • Oracle Banking Enterprise Collections, version 2.6
  • Oracle Banking Enterprise Originations, version 2.6
  • Oracle Banking Enterprise Product Manufacturing, version 2.6
  • Oracle Banking Payments, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0
  • Oracle Banking Platform, versions 2.4, 2.5, 2.6
  • Oracle Big Data Discovery, version 1.6.0
  • Oracle Business Intelligence Data Warehouse Administration Console, version 11.1.1.6.4
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0,      12.2.1.3.0
  • Oracle Communications Calendar Server, version 8.x
  • Oracle Communications Contacts Server, version 8.x
  • Oracle Communications EAGLE LNP Application Processor, versions 10.1.0.0.0 and prior
  • Oracle Communications Messaging Server, version 8.x
  • Oracle Communications MetaSolv Solution, version 6.3.0
  • Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
  • Oracle Communications Network Intelligence, version 7.3.x
  • Oracle Communications Order and Service Management, versions 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x
  • Oracle Communications Unified Inventory Management, version 7.x
  • Oracle Data Visualization Desktop, version 12.2.4.1.1
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0
  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
  • Oracle Endeca Information Discovery Integrator, versions 3.1, 3.2
  • Oracle Endeca Information Discovery Studio, versions 7.6.1.0.0, 7.7.0.0.0
  • Oracle Endeca Server, version 7.7
  • Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.x, 8.0.x
  • Oracle Financial Services Basel Regulatory Capital Basic, version 8.0.x
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, version 8.0.x
  • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5
  • Oracle Financial Services Market Risk Measurement and Management, version 8.0.5
  • Oracle FLEXCUBE Core Banking, versions 11.5.0, 11.6.0, 11.7.0
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0
  • Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
  • Oracle Fusion Applications , versions 11.1.2 through 11.1.9
  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
  • Oracle Fusion Middleware MapViewer, versions 11.1.1.7.0, 11.1.1.9.0
  • Oracle GoldenGate, version 12.2.0.1
  • Oracle GoldenGate Veridata, versions 11.2.0.1.2, 12.1.3.0.0
  • Oracle Hospitality Cruise Fleet Management System, version 9.x
  • Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
  • Oracle Hospitality Reporting and Analytics, version 9.0
  • Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9, 2.10
  • Oracle Hospitality Simphony First Edition, versions 1.6, 1.7
  • Oracle Hospitality Suite8, version 8.x
  • Oracle HTTP Server, versions 12.1.3, 12.2.1.2
  • Oracle Java SE, versions 6u181, 7u161, 7u171, 8u152, 8u162, 10
  • Oracle Java SE Embedded, versions 8u152, 8u161
  • Oracle JRockit, version R28.3.17
  • Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle Mobile Security Suite, version 3.0.1
  • Oracle Outside In Technology, version 8.5.3
  • Oracle Retail Advanced Inventory Planning, versions 13.2, 13.4, 14.1, 15.0
  • Oracle Retail Back Office, versions 13.4.9, 14.0.4, 14.1.3
  • Oracle Retail Central Office, versions 13.4.9, 14.0.4, 14.1.3
  • Oracle Retail Customer Engagement, version 16.0
  • Oracle Retail EFTLink, versions 1.1.125, 15.0.2, 16.0.3
  • Oracle Retail Insights, versions 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Integration Bus, version 13.2
  • Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Merchandising System, version 16.0
  • Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0
  • Oracle Retail Order Management System, versions 4.0, 4.5, 4.7, 5.0
  • Oracle Retail Point-of-Service, versions 13.3.8, 13.4.9, 14.0.4, 14.1.3
  • Oracle Retail Predictive Application Server, versions 13.4.3, 14.0.3, 14.1.3
  • Oracle Retail Price Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Returns Management, versions 2.3.8, 2.4.9, 14.0.4, 14.1.3
  • Oracle Retail Store Inventory Management, versions 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1
  • Oracle Retail Xstore Point of Service, versions 6.0, 6.0.12, 6.5, 6.5.12, 7.0, 7.0.7, 7.1,    7.1.7,  15.0, 15.0.2, 16.0, 16.0.3
  • Oracle Secure Global Desktop (SGD), version 5.3
  • Oracle Security Service, versions 12.1.3.0.0, 12.2.1.2.0
  • Oracle Transportation Management, versions 6.2, 6.4.3
  • Oracle Tuxedo, version 12.1.1.0.0
  • Oracle Utilities Framework, versions 2.2.0, 4.2.0, 4.3.0
  • Oracle VM VirtualBox, versions prior to 5.1.36, prior to 5.2.10
  • Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Portal, versions 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0
  • Oracle WebLogic Portal, version 10.3.6.0.0
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
  • OSS Support Tools, versions prior to 18.2
  • PeopleSoft Enterprise HCM, version 9.2
  • PeopleSoft Enterprise HCM Shared Components, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
  • PeopleSoft Enterprise PRTL Interaction Hub, version 9.1
  • PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56
  • Primavera P6 Enterprise Project Portfolio Management, versions 16.2, 17.1 \u2013 17.12
  • Primavera Unifier, versions 16.x, 17.x
  • Real-Time Decisions (RTD) Solutions, version 3.2.0.0.0
  • Siebel Applications, version 17.0
  • Solaris, versions 10, 11.3
  • Solaris Cluster, version 4.3
  • Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.17
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

N/A

Actions: 
  • After appropriate testing, immediately apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • Apply the Principle of Least Privilege to all systems and services.
References: 

Oracle:

; text-decoration:underline">http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html

April 30, 2018 - UPDATED REFERENCES:

Bleeping Computer:

; text-decoration:underline">https://www.bleepingcomputer.com/news/security/hackers-scan-the-web-for-vulnerable-weblogic-servers-after-oracle-botches-patch/